A10 DG 16154 en

DEPLOYMENT GUIDE
SSL Insight Deployment for Thunder ADC

Deployment Guide | SSL Insight Deployment for Thunder ADC
Table of Contents
1 Overview....................................................................................................................................................................................................................................4
2 Deployment Prerequisites...............................................................................................................................................................................................4
3 Architecture Overview.......................................................................................................................................................................................................4
3.1 SSL Insight with an Inline Security Deployment....................................................................................................................................5
4 New SSL Insight Features ................................................................................................................................................................................................6
4.1 Features............................................................................................................................................................................................................................6
4.2 CA Certificate ...............................................................................................................................................................................................................6
5 Configuration Overview...................................................................................................................................................................................................7
5.1 Thunder ADC Appliance Configuration Overview................................................................................................................................7
6 Configuration Steps for Thunder ADC Appliances...........................................................................................................................................8
6.1 Network Configuration on the Thunder ADC Appliances................................................................................................................9
6.2 Configure VLANs and add Ethernet and Router Interfaces.............................................................................................................9
6.3 Configure IP Addresses on the VLAN Router Interfaces..................................................................................................................10
6.4 SSL Insight Configuration on the Thunder ADC Appliances.......................................................................................................10
7 Configuration Steps for Security Device..............................................................................................................................................................18
8 Summary.................................................................................................................................................................................................................................19
Appendix........................................................................................................................................................................................................................................20
Appendix A. Complete Configuration File for the Thunder ADC Appliance........................................................................................20
Appendix B. Webroot BrightCloud URL Classification .......................................................................................................................................21
Appendix C. Dynamic Port Intercept............................................................................................................................................................................23
Configuration Samples for Dynamic Port Intercept.....................................................................................................................................23
Appendix D. Single Appliance SSL Insight Solution............................................................................................................................................24
Appendix E. Appendix ICAP Support in Client Authentication Architecture......................................................................................25
ICAP Workflow......................................................................................................................................................................................................................25
Configuration Requirements......................................................................................................................................................................................26
Appendix F. Bypass Client Certificate Authentication .......................................................................................................................................26
Configuration for Bypassing SSL Insight for Client Authentication Traffic.....................................................................................27
Sample Configuration for Bypassing SSL Insight for Client Authentication Traffic...................................................................27
Appendix G. Explicit Proxy..................................................................................................................................................................................................29
Explicit Proxy Configuration........................................................................................................................................................................................29
Appendix H. Detailed Walkthrough of SSL Insight Packet FLow.................................................................................................................31
Appendix I. SSL Insight Certificate Installation Guide.........................................................................................................................................32
Generating a CA Certificate.........................................................................................................................................................................................32
Installing a Certificate in Microsoft Windows 7 for Internet Explorer................................................................................................33
Installing Certificate in Google Chrome .............................................................................................................................................................39
Installing a Certificate in Mozilla Firefox...............................................................................................................................................................42
Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to
fitness for a particular use and noninfringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate,
but A10 Networks assumes no responsibility for its use. All information is provided “as-is.” The product specifications and features described in this
publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not
be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks’ products and
services are subject to A10 Networks’ standard terms and conditions.
2
Appendix J. SSL Insight 4.0.3 Features..........................................................................................................................................................................44

OCSP Certificate Validation..........................................................................................................................................................................................44
OCSP Certificate Validation Process........................................................................................................................................................................45
SSL Debug Alert Messages..................................................................................................................................................................................................47
Forward Proxy Failsafe............................................................................................................................................................................................................48
Command to disable Forward Proxy Failsafe: .................................................................................................................................................48
Forward Proxy Inspect............................................................................................................................................................................................................48
Internal Thunder ADC Ends-with Class-list Sample ............................................................................................................................................49
Internal Thunder ADC Key-string Length Class-list Sample ...........................................................................................................................49
Appendix K. Reference Topologies.................................................................................................................................................................................50
SSL Insight – Inline Single Appliance Deployment......................................................................................................................................50
SSL Insight – Inline and Passive Mode Security Devices...........................................................................................................................50
SSL Insight – Network and Passive Mode Security Devices....................................................................................................................50
SSL Insight – Inline Mode with Explicit Proxy...................................................................................................................................................51
SSL Insight – ICAP Topology with Explicit Proxy.............................................................................................................................................51
SSL Insight in Passive Inline with Explicit Proxy...............................................................................................................................................52
Inline Mode with Bypass Switch/AFO ................................................................................................................................................................52
HA Inline Mode with Bypass Switch/AFO ........................................................................................................................................................52
About A10 Networks ..............................................................................................................................................................................................................53
3
1 Overview
Security devices such as firewalls, intrusion detection systems (IDS), data loss prevention (DLP), analytics and
forensics, and advanced threat prevention platforms require visibility into all traffic, including SSL traffic, to
discover attacks, intrusions, and data exfiltration hidden in encrypted communications. Many types of security
devices are deployed non-inline to monitor network traffic. These devices cannot decrypt out bound SSL traffic.
Growing SSL bandwidth, coupled with increasing SSL key lengths and more computationally complex SSL
ciphers, make it difficult for even the most powerful inline security devices to decrypt SSL traffic. To solve
this challenge, A10 Networks® Thunder® ADC line of application delivery controllers’ SSL Insight™ feature
eliminates the blind spot imposed by SSL encryption, offloading CPU-intensive SSL decryption functions that
enable security devices to inspect encrypted traffic – not just clear text. The Thunder ADC SSL Insight feature
acts as an SSL forward proxy, intercepts SSL encrypted traffic, decrypts it and forwards it through a firewall or
Intrusion Prevention System (IPS). It can also mirror the unencrypted traffic to non-inline security devices such
as analytics or forensics products. A second Thunder ADC appliance then takes this traffic and encrypts it again,
and sends it to the remote destination.
Using A10’s Application Delivery Partitions (ADPs), it is possible to use a single Thunder ADC appliance for
encryption, decryption, and load balancing.
2 Deployment Prerequisites
Here are the requirements for an SSL Insight deployment:
• Thunder ADC appliances with A10 Networks Advanced Core Operating System (ACOS®) version 4.0.3 SP9
or later
• Third-party security device such as a firewall, security analytics or forensics appliance or threat prevention
platform
• Deployed in inline (Layer2), routed (Layer 3) or ICAP mode (DLP or AV ICAP enabled solutions only)
Note: The CLI commands and GUI screenshots presented in this guide are based on ACOS version 4.0.1 SP9. There are
some features in this release that may require CLI configuration only. If the guide does not provide the GUI, then it is
only available for CLI configuration.
3 Architecture Overview
This section illustrates a joint solution using Thunder ADC appliances and a third-party security device for SSL
Insight capability. The SSL Insight services are provided by Thunder ADC appliances while traffic inspection and
monitoring services are provided by third-party security devices. This is a simple, in-line SSL Intercept solution,
using two Thunder ADC appliances for SSL decryption and re-encryption.
For additional SSL Insight deployment options, please refer to Appendix J.
Note: The security devices in this deployment guide are setup in Layer 2 (L2) mode.
Security
Internal Appliance External
Client Internet
Figure 1. SSL Insight and Firewall Load Balancing topology example
4
ADP 1 ADP 2
“Internal” “External”
ÒClient ÒFirewall
ÒFirewall ÒRouter
Client
Internet
Security
Appliance
Figure 2. SSL Insight and Firewall Load Balancing topology in one-box solution
3.1 SSL Insight with an Inline Security Deployment

The main feature of SSL Insight is to transparently intercept SSL traffic, decrypt it and send it through
the security device(s) in clear text. After the security device has inspected the intercepted traffic, it is re-
encapsulated in SSL and sent to the destination. A ladder-diagram is provided in Appendix B to show this
process in greater detail.
There are three distinct stages for traffic in such a solution, depicted in Figure 2:
1. Encrypted: From client to the internal Thunder ADC appliance, where traffic is encrypted.
2. Decrypted: From the internal Thunder ADC appliance to the external Thunder ADC appliance, through
the security device. Traffic is in clear text in this segment.
3. Encrypted: Traffic from the external Thunder ADC appliance to the remote server, where traffic is
encrypted again.
Note: Please refer to the ACOS Application Delivery & Server Load Balancing Guide1 for additional details on the SSL
Insight feature.
Application Server
Internet
3 Encrypted
External Thunder ADC
Inspection
and Protection
DLP UTM
2 Decrypted
IDS Others
Internal Thunder ADC
1 Encrypted
Client
Figure 3. SSL Insight overview

1
Go to https://www.a10networks.com/support to download/view this guide. Site registration is required.
5
4 New SSL Insight Features

With the growing request of SSL Insight features, A10 has proactively delivered a new set of SSL Insight features
in ACOS 4.x releases. Each upgrade release within 4.x has its special features and administrator must determine
the build release based on solution needs. Upgrading to 4.0.3 build will cover all the features of 4.0.1.
4.1 Features
4.1.1 Enhancements for ACOS 4.0.3
• OCSP Support for Server Certificate Validation – this feature is an enhancement version of the server
certificate validation introduced in 4.0.3. This feature is used to validate a server certificate before enabling
an SSL session with a remote server. This provides support for OCSP and OCSP stapling.
• Debug Messages for SSL Failures – this feature enables TLS alerts to be logged when an SSL session
fails, and can be deployed on a client or server SSL template.
• Forward Proxy Failsafe – this feature is a bypass option when an SSL forward proxy fails. Enabling this
feature will bypass SSL Insight traffic when SSL handshake fails.
• Forward Proxy Inspect – this feature inspects Aho-Corasick class-list and performs SSL Insight if it
matches to the class-list entries.
Note: The features described above are shown in detail in Appendix J.
4.1.2 Enhancements for ACOS 4.0.1

With ACOS 4.0.1, A10 introduced significant new features and capabilities that lay the foundation of a rapid
services integration platform for enterprise, cloud, and service provider networks. Within the A10 SSL Insight
framework, the following features have been added:
• URL Classification Web Category – Classifies all traffic that passes through the A10 device with the
capability to bypass specific, sensitive data (for example, healthcare websites due to HIPAA regulations).
Refer to Appendix B for more information.
• Single Appliance SSL Insight Feature – Supports internal and external partitions deployed in a single
A10 appliance. Refer to Appendix D for more information. Hypervisor-based SSL Insight Support –
Supports SSL Insight on ESXi, KVM and Hyper-V hypervisors through A10 Networks vThunder® line of
virtual appliances.
• Dynamic Port Intercept – dynamically detects and intercepts the use of SSL, regardless of the protocol
running on top of TCP. Refer to Appendix C for more information.
• ICAP Support in Client Authentication Architecture – Enables the A10 device to support Internet
Content Adaption Protocol (ICAP) on HTTP/HTTPS sessions. ICAP typically serves to provide data loss
prevention (DLP) and antivirus services.
• Explicit Proxy Support for SSL Insight – Enables the Thunder ADC device to control client access to
hosts based on lists of allowed traffic source (clients) and destination (hosts).
• Bypass Client Authentication Traffic - Enables the A10 device to bypass certain HTTPS traffic that
requires client certificate authentication (CAC/PKI). When subjecting this type of traffic to SSL Insight, the
CAC transaction will fail.
Note: To see configuration details for these features, refer to the A10 Thunder System and Administration Guide2. These
features are all available in the 4.0.1 SP9 build.
4.2 CA Certificate
A prerequisite for configuring the SSL Insight feature is a CA certificate with a known private key, such as a self-
signed CA certificate generated on the A10 Thunder ADC appliance or on a Linux system.
The following CLI command generates and initializes a self-signed CA certificate on the Thunder ADC
appliance:
2
6
slb ssl-create certificate <certificate name>
The following two commands generate and initialize a CA certificate on a Linux system with an OpenSSL
package installed:
openssl genrsa -out <name>.key
openssl req -new -x509 -days 3650 -key <name>.key -out <name>.crt
Once generated, the certificate can be imported onto the Thunder ADC appliances in the internal zone using
SFTP or SCP.
import ssl-cert <certificate name> scp://[user@]host/<source file>
This CA certificate must also be pushed to all client machines on the internal network. If the CA certificate
is not pushed, the internal hosts will get an SSL “untrusted root” error whenever they try to connect to a
site with SSL enabled. This can be done manually (see Appendix C), or using an automated service such as
Microsoft Group Policy Manager. Automated login scripts can achieve the same result for organizations that
use Linux or UNIX clients.
Note: Further details for Group Policy Manager can be found at:
http://technet.microsoft.com/en-us/library/cc772491.aspx
5 Configuration Overview
Configuration options for the SSL Insight feature are as follows:
1. Network configuration on the Thunder ADC appliance
2. SSL Insight configuration on the Thunder ADC appliance
3. Configuration on the third-party security device
5.1 Thunder ADC Appliance Configuration Overview

The following sections provide more information about the Thunder ADC configuration items listed in the
previous section.
5.1.1 Network Configuration Overview

This solution has one Thunder ADC appliance in the external zone of the security devices and another Thunder
ADC appliance in the internal zone of the security devices. This solution assumes that the security devices are
configured in L2 transparent mode. Therefore, the Thunder ADC interfaces can be configured in one of the
following modes:
• As untagged VLAN interfaces with L3 Virtual Ethernet (VE) configured in the same subnet
• As tagged VLAN interfaces with L3 VEs configured in the same subnet
• As L3 PHY interfaces without requiring any VLANs
This guide follows the first approach where the Thunder ADC appliances are configured with untagged VLAN
interfaces.
5.1.2 SSL Insight Configuration Overview

The SSL Insight configuration is slightly different on the external Thunder ADC appliance compared to the
internal Thunder ADC appliance. The primary difference is that client-SSL and server-SSL templates are required
on the internal and the external Thunder ADC appliance respectively. Only SSL traffic is intercepted.
SSL Insight Configuration on Internal Thunder ADC Appliance
SSL Insight configuration on the internal Thunder ADC appliance has the following key elements:
• SSL traffic entering on port 443 is intercepted.
-- Port 443 is defined under a wildcard VIP to achieve this.
• The SSL server certificate is captured during the SSL handshake; all X.509 DN attributes are duplicated,
except for the issuer and base64 encoded public key.
7
-- Client-SSL template is used for this. The Client-SSL template includes the required command forward-
proxy-enabled, along with the local CA certificate (from 4.1) and its private key which is used for
signing dynamically forged certificates.
• The remote VE address of Thunder ADC is added as an SLB server, establishing the security device path.
Port 8080 is defined for the security device path.
-- The command slb server defines a security device path and port number 8080 is added.
• Along with the protocol (HTTPS to HTTP), the destination port also gets changed from 443 to 8080.
-- Service group is defined with port 8080 and bound to the virtual port.
• However, the destination IP (i.e. Internet server IP) remains unchanged.
• The command no-dest-nat port-translation achieves this.
-- The incoming SSL traffic is intercepted and decrypted, and is then forwarded in clear text over HTTP on
port 8080 through the security device.
SSL Insight Configuration on External Thunder ADC Appliance
SSL Insight configuration on the external Thunder ADC appliance is simpler compared to the internal Thunder
ADC appliance configuration. This configuration has the following key elements:
• Clear-text HTTP traffic entering on port 8080 is intercepted.
-- Port 8080 is defined under a wildcard VIP to achieve this.
• The next-hop gateway (default router) is defined as an SLB server.
-- The command slb server defines the default router IP address and port number 443 is added.
• Along with the protocol (HTTP to HTTPS), the destination port also gets changed from 8080 to 443.
-- Service group is defined with port 443 and bound to the virtual port.
• However, the destination IP (i.e. Internet Server IP) remains unchanged.
-- The command no-dest-nat port-translation achieves this.
• Incoming HTTP traffic is converted into SSL traffic and sent out on port 443.
-- A server-SSL template is defined and applied to the virtual port. The template includes the command
forward-proxy-enable. Optionally, a root CA certificate store file also may be applied to the server-SSL
template.
5.1.3 Security Device Configuration

Third-party security devices must be configured according to the recommend best practices of the security
vendor. The key requirements for enabling SSL Insight in this configuration are:
• ARP packets should be allowed for both internal and external Thunder ADC appliances.
• Health-check packets should be allowed from the internal Thunder ADC appliance to the external
Thunder ADC appliance; unless health-checks are disabled.
6 Configuration Steps for Thunder ADC Appliances

This section provides detailed steps for configuring SSL Insight on Thunder ADC. Complete configuration
details for both internal and external Thunder ADC appliances are shown in Appendix A.
8
6.1 Network Configuration on the Thunder ADC Appliances

The steps in this section configure the following networking parameters:
• VLANs and their router interfaces
• Virtual Ethernet (VE) interfaces, which are IP addresses assigned to VLAN router interfaces
The goal is to achieve the following IP addressing scheme on both Thunder ADC appliances as shown in Figure 1:
VLAN VE IP Address Interface

10 10.10.1.2 /24 eth1
Internal ADC
15 10.15.1.2 /24 eth5
20 20.1.1.2 /24 eth1
External ADC
15 10.15.1.12 /24 eth5
6.2 Configure VLANs and add Ethernet and Router Interfaces

Configure the following VLAN parameters on the internal Thunder ADC appliance as shown in Figure 1:
• VLAN-10: This is the uplink to the internal network. Add router-interface ve 10 along with the Ethernet
interface.
• VLAN-15: This is the path to the external Thunder ADC appliance through the security device. Add router-
interface ve 15 along with the Ethernet interface.
Using the CLI:
ACOS(config)#vlan 10
ACOS(config-vlan:10)#untagged ethernet 1
ACOS(config-vlan:10)#router-interface ve 10
ACOS(config-vlan:10)#exit
ACOS(config)#vlan 15
ACOS(config-vlan:15)#untagged ethernet 5
ACOS(config-vlan:15)#router-interface ve 15
ACOS(config-vlan:15)#exit
Using the GUI:

1. Navigate to Network > VLAN.
2. Click Create.
3. Enter the VLAN ID, select the interfaces.
4. Name (Optional).
5. Check Create Virtual Interface.
6. Click Create VLAN.
7. Repeat for each VLAN.
9
6.3 Configure IP Addresses on the VLAN Router Interfaces

Verify that you have enabled the promiscuous VIP option under ve10, in order to subject inbound traffic to
wildcard VIP.
Using the CLI:
ACOS(config)#interface ve 10
ACOS(config-if:ve10)#ip address 10.10.1.2 /24
ACOS(config-if:ve10)#ip allow-promiscuous-vip
ACOS(config-if:ve10)#exit
ACOS(config)#interface ve 15
ACOS(config-if:ve15)#ip address 10.15.1.2 /24
ACOS(config-if:ve15)#exit
Using the GUI:

1. Navigate to Network > Interfaces > Virtual Ethernets. The interfaces configured above should be visible.
2. Click edit on ifnum “100” and configure the general fields and IPv4 address.
3. Click update when done.
4. Repeat for each VE.
5. Enter the IP Address and Subnet and click add.

6. Enable “Allow Promiscuous VIP” option.
7. Click update and continue.

Repeat the steps above on the external Thunder ADC appliance pair, and make sure to use unique IP addresses.
6.4 SSL Insight Configuration on the Thunder ADC Appliances

SSL Insight configuration on the internal Thunder ADC appliance will intercept traffic on TCP port 443,
decrypt it, and send it in clear text over TCP port 8080 to the security device. Consequently, the external
Thunder ADC appliance will intercept clear text traffic arriving on TCP port 8080 and encrypt it back before
sending it to the remote hosts. All other traffic will be bypassed using wildcard TCP and UDP ports as
configured in the following sections.
10
6.4.1 Internal Thunder ADC Appliance

Use the following steps to configure SSL Insight parameters in the internal Thunder ADC Appliance.
Configure Server for VLAN-15
These steps configure an slb server with the VE address for VLAN 15 on the external Thunder ADC appliance.
TCP port 8080 is added under the slb server for SSL Insight, along with wildcard TCP port 0 & UDP port 0 for all
other traffic.
Using the CLI:
ACOS(config)#slb server SecurityDevice1_Path 10.15.1.12
ACOS(config-real server)#port 8080 tcp
ACOS(config-real server-node port)#no health-check
ACOS(config-real server-node port)#exit
ACOS(config-real server)#exit
ACOS(config-real server)#port 0 udp
Using the GUI:

1. Navigate to ADC > SLB > Servers.
2. Click Create.
3. Enter the following settings:
• Name: “SecurityDevice1_Path”
• Select IPv4
• IP Address: 10.15.1.12
On the right hand side of the GUI within the Port section click Create.
4. Enter port parameters:
• Port: “8080”
• Protocol: “TCP”
• Health Monitor: Select blank (disabled).
• Click Add.
11
5. Enter port parameters:

• Port: “0”
• Protocol: “TCP”
• Health Monitor: Select blank (disabled).
• Click Add.
6. Repeat for UDP port 0.
7. Click OK.
Configure a Service Group

The following steps will add the slb server to a service group.
Using the CLI:
ACOS(config)#slb service-group SSLi tcp
ACOS(config-slb svc group)#member SecurityDevice1_Path 8080
ACOS(config-slb svc group)#exit
ACOS(config)#slb service-group All_TCP tcp
ACOS(config)#slb service-group All_UDP udp
Note: In ACOS 4.0.x code, the CLI configuration has been updated such that the configuration in 2.7 code requires a “:”
when you configure the server device and port. In version 4.0.1 the colon in the CLI is not required.
Using the GUI:

1. Navigate to ADC > SLB > Service Groups.
2. Click Create.
3. Enter the following parameters:
• Name: “SSLi”
• Type: “TCP”
4. Click on Create on the Member section.
5. Select the Existing Server option, and select SecurityDevice1_Path from the drop-down list.
6. Enter the Port, “8080”.
7. Click Create.
8. Enter the following parameters:
• Name: “ All_TCP”
• Type: “TCP”
9. Click Create on Service Groups section.
12
10. Select the Existing Server option and select, SecurityDevice1_Path from the drop-down list.
11. Select the Port, “0”.
12. Click Add.
13. Repeat for UDP port 0.
14. Click OK.
Configure the Client-SSL Template

These steps will show the configuration for the client-SSL template. The command forward-proxy-enable
essentially enables SSL Insight on the client-ssl template. The forward-proxy is an A10 specific term and is
different than the traditional explicit-proxy function.
Note: These steps assume that the CA certificate and the private key has been uploaded to the Thunder ADC
appliance. For instructions on uploading CA certificates and keys, please refer to the ACOS Application Delivery and
Server Load balancing Guide3.
Using the CLI:

ACOS(config)#slb template client-ssl SSLInsight_ClientSide
ACOS(config-client ssl)#forward-proxy-ca-cert SSLi-CA
ACOS(config-client ssl)#forward-proxy-ca-key SSLi-CA
ACOS(config-client ssl)#forward-proxy-enable
ACOS(config-client ssl)#exit
Using the GUI:

1. Navigate to Config Mode > SLB > Template > SSL > Client SSL.
2. Click Create and select Client SSL.
3. Enter a Name, “SSLInsight_ClientSide”.
4. Select the CA certificate from the CA Certificate drop-down list.
5. Select the private key from the CA Private Key drop-down list.
6. Select Forward Proxy Enable.
7. Click OK.
3
13
Configure the ACL

These steps shows configuration for an extended ACL to intercept incoming traffic on VLAN-10. This ACL will be
used as part of the wildcard VIP configuration below.
Using the CLI:
ACOS(config)#access-list 100 permit ip any any vlan 10
Using the GUI:

1. Navigate Network > ACL > Extended.
2. Click Create.
3. Enter or select the following settings:
• ID: “100”
• Select “Entry”
• Action: “Permit”
• Service: “Protocol” and “IP”
• Source Address: “Source Address” and select “Any”
• Destination Address: “Destination Address” and select “Any”
• VLAN ID: “100”
4. Click OK.
14
Configure the Wildcard VIP

These commands add the service groups to TCP, UDP and “others” wildcard VIP ports. The no-dest-nat
command is used to preserve the destination IP address load-balanced traffic. The “others” wildcard VIP port
can take an already defined TCP service group or UDP service group. In this example, the UDP service group is
used. For SSL Insight, virtual port 443 is used. The no-dest-nat port-translation command is used to convert
incoming 443 traffic to port 8080, while preserving the destination IP address.
Using the CLI:
ACOS(config)#slb virtual-server Outbound_Wildcard_VIP 0.0.0.0 acl 100
ACOS(config-slb vserver)#port 443 https
ACOS(config-slb vserver-vport)#service-group SSLi
ACOS(config-slb vserver-vport)#template client-ssl SSLInsight_ClientSide
ACOS(config-slb vserver-vport)#no-dest-nat port-translation
ACOS(config-slb vserver-vport)#exit
ACOS(config-slb vserver)#port 0 tcp
ACOS(config-slb vserver-vport)#service-group All_TCP
ACOS(config-slb vserver-vport)#no-dest-nat
ACOS(config-slb vserver)#port 0 udp
ACOS(config-slb vserver-vport)#service-group All_UDP
ACOS(config-slb vserver)#port 0 others
ACOS(config-slb vserver-vport)#service-group All_UDP
ACOS(config-slb vserver)#exit
Using the GUI:

1. Navigate to ADC > SLB > Virtual Server.
2. Click Create.
• Name: “Outbound_Wildcard_VIP”
• Wildcard: Select the checkbox.
• Access List: “100”
15
4. From the Virtual Port area click Create.

• Name: Outbound_Wildcard_VP
• Type: “HTTPS”
• Port: “443”
• Service Group: “SSLi”
• Direct Server Return: Select Enabled, and select the Port Translation checkbox.
• Client-SSL Template: “SSLInsight_ClientSide”

• Type: “TCP”
• Port: “0”
• Service Group: “ All_TCP”
• Direct Server Return: Select Enabled.
7. Click OK to exit the Virtual Server Port configuration page.
8. Click OK to exit the Virtual Server configuration page.
16
Deployment Guide | SSL Insight Deployment for Single-appliance Architecture
6.4.2 External Thunder ADC Appliance

Use the following steps to configure SSL Insight parameters in the external Thunder ADC Appliance.
Note: For brevity, only the CLI commands are shown in this section.
Add TCP Port 443 to the Default Gateway

These steps define the default gateway as an slb server, and add TCP port 443 for HTTPS traffic under the
default gateway.
ACOS(config)#slb server Default_Gateway 20.1.1.10
Add TCP Port 0 and UDP Port 0 to the Default Gateway

These steps add TCP port 0 and UDP port 0 for all other traffic under the default gateway configuration.
ACOS(config)#slb server Default_Gateway 20.1.1.10
ACOS(config-real server)#port 0 udp
Bind the Server Ports to a Service Group

These steps add the default gateway server ports to a service group.
ACOS(config)#slb service-group DG_SSL tcp
ACOS(config-slb svc group)#member Default_Gateway 443
ACOS(config)#slb service-group DG_TCP tcp
ACOS(config)#slb service-group DG_UDP udp
Configure the Server-SSL Template

These steps configure the server-SSL template.
Using the CLI:
ACOS(config)#slb template server-ssl SSLInsight_ServerSide
ACOS(config-server ssl)#forward-proxy-enable
ACOS(config-server ssl)#exit
Using the GUI:

1. Navigate to SLB/ SLB.
2. Click Add.
3. Enter a Name, “SSLInsight_ServerSide”.
4. Click Create and select Server SSL.
5. Select Enabled next to SSL Forward Proxy.
6. Leave other fields blank.
7. Click OK.
17
Deployment Guide | SSL Insight Deployment for Single-appliance Architecture
Configure an ACL to Intercept Incoming Traffic on VLAN-15 for a Wildcard VIP

These steps configure an extended ACL to intercept traffic on VLAN-15. This ACL will be used as part of the
following wildcard VIP configuration:
ACOS(config)#access-list 101 permit ip any any vlan 15
Configure the Wildcard VIP

These commands add the service groups to TCP, UDP and “others” wildcard VIP ports. The no-dest-
nat command is used to preserve the destination IP address. Virtual port 8080 is added for SSL Insight
configuration. The no-dest-nat port-translation command is used to convert incoming TCP port 8080 traffic to
HTTPS port 443, while preserving the destination IP address.
ACOS(config)#slb virtual-server Inside_To_Outside 0.0.0.0 acl 101
ACOS(config-slb vserver)#port 8080 http
ACOS(config-slb vserver-vport)#service-group DG_SSL
ACOS(config-slb vserver-vport)#template server-ssl SSLInsight_ServerSide
ACOS(config-slb vserver-vport)#no-dest-nat port-translation
ACOS(config-slb vserver)#port 0 tcp
ACOS(config-slb vserver-vport)#service-group DG_TCP
ACOS(config-slb vserver)#port 0 udp
ACOS(config-slb vserver-vport)#service-group DG_UDP
ACOS(config-slb vserver)#port 0 others
ACOS(config-slb vserver-vport)#service-group DG_UDP
ACOS(config-slb vserver)#exit
7 Configuration Steps for Security Device

Security devices must be configured in Layer 2, transparent mode. Please refer to the configuration steps
shown in your security device documentation.
18
8 Summary
Unprecedented growth in encrypted traffic, coupled with increasing SSL key lengths and more computationally
complex SSL ciphers, makes it difficult for inline security devices to decrypt SSL traffic. A wide range of security
devices require visibility into encrypted traffic to discover attacks, intrusions and malware. SSL Insight, included
as a standard feature of Thunder ADC, offers organizations a powerful load-balancing, high availability and SSL
decryption solution. Using SSL Insight, organizations can:
• Analyze all network data, including encrypted data, eliminating blind spots in their threat protection
solution
• Provide advanced SSL inspection features and SSL decryption for third-party security devices
• Detect encrypted malware, insider abuse and attacks transported over SSL/TLS
• Deploy best-of-breed content inspection solutions to fend off cyber attacks
• Maximize the performance, availability and scalability of corporate networks by leveraging A10’s 64-bit
ACOS platform, Flexible Traffic Acceleration (FTA) technology and specialized security processors
For more information about Thunder ADC products:

• https://www.a10networks.com/products/thunder-series/thunder-application_delivery_controller
• https://www.a10networks.com/resources/solution-briefs
• https://www.a10networks.com/resources/case-studies
19
Appendix
The Appendix section provides a list of configuration options as referred to in the main document. Some
features shown may have not have GUI configuration. We suggest using the CLI-only configuration samples
until the next ACOS release becomes available.
Appendix A. Complete Configuration File for the Thunder ADC

Appliance
Internal Unit Configuration External Unit Configuration
hostname Thunder-Internal hostname Thunder-External
! !
vlan 10 vlan 20
untagged ethernet 1 untagged ethernet 1
router-interface ve 10 router-interface ve 20
! !
vlan 15 vlan 15
untagged ethernet 5 untagged ethernet 5
router-interface ve 15 router-interface ve 15
! !
access-list 100 permit ip any any access-list 101 permit ip any any
vlan 10 vlan 15
! !
interface ve 10 interface ve 20
ip address 10.10.1.2 255.255.255.0 ip address 20.1.1.2 255.255.255.0
ip allow-promiscuous-vip !
! interface ve 15
interface ve 15 ip address 10.15.1.12 255.255.255.0
ip address 10.15.1.2 255.255.255.0 ip allow-promiscuous-vip
! !
slb server SecurityDevice1_Path slb template server-ssl SSLInsight_
10.15.1.12 ServerSide
port 0 tcp forward-proxy-enable
no health-check !
port 0 udp slb server Default_Gateway 20.1.1.10
no health-check port 0 tcp
port 8080 tcp no health-check
no health-check port 0 udp
slb service-group All_UDP udp no health-check
member SecurityDevice1_Path 0 port 443 tcp
! no health-check
slb service-group All_TCP tcp slb service-group DG_TCP tcp
member SecurityDevice1_Path 0 member Default_Gateway 0
! !
slb service-group SSLi tcp slb service-group DG_UDP udp
member SecurityDevice1_Path 8080 member Default_Gateway 0
20
Internal Unit Configuration External Unit Configuration

slb template client-ssl SSLInsight_ slb service-group DG_SSL tcp
ClientSide member Default_Gateway 443
forward-proxy-enable !
forward-proxy-ca-cert SSLi-CA slb virtual-server Inside_To_Outside
forward-proxy-ca-key SSLi-CA 0.0.0.0 acl 101
! port 0 tcp
slb virtual-server Outbound_Wildcard_ service-group DG_TCP
VIP 0.0.0.0 acl 100 no-dest-nat
port 0 tcp port 0 udp
service-group All_TCP service-group DG_UDP
no-dest-nat no-dest-nat
port 0 udp port 0 others
service-group All_UDP service-group DG_UDP
no-dest-nat no-dest-nat
port 0 others port 8080 http
service-group All_UDP service-group DG_SSL
no-dest-nat template server-ssl SSLInsight_
port 443 https ServerSide
service-group SSLi no-dest-nat port-translation
template client-ssl SSLInsight_ !
ClientSide end
no-dest-nat port-translation
!
end
Appendix B. Webroot BrightCloud URL Classification

SSL Insight technology includes a subscription service called Dynamic Web Category Classification via
Webroot BrightCloud’s Threat Intelligence Services. This service allows customers to granularly control which
types of SSL traffic to decrypt and which types to forward without inspection. Thunder ADC customers
can analyze and secure SSL traffic while bypassing communications to sensitive sites such as banking and
healthcare applications.
Internet Server
Encrypted
Internet
Decrypted
Internet
A10 Thunder ADC Web Classification

Security Device Cloud
Encrypted
Client
Figure 4. A10 and Webroot architecture
21
When a user’s client browser sends a request to a URL, ACOS checks the category of the URL.
• If the category of the URL is allowed by the configuration, the Internal Thunder ADC device leaves
the data encrypted and sends it to the SSL Insight outside device, which sends the encrypted data to
the server.
• If the category of the URL is not allowed by the configuration, the Internal Thunder ADC device decrypts
the traffic and sends it to the traffic inspection device.
Installation requirements:
• Must have a Webroot/BrightCloud URL Classification Subscription and per Thunder ADC device licensing
(contact your Regional Sales Director for pricing).
• Internal Thunder ADC must have access to the Internet for Webroot database download.
• DNS configuration is required.
To install the URL classification feature, you must have a Webroot token license sent from the A10 Global
License Manager (GLM). Once received, initiate the following command within CLI only:
SSLi(config)#internal Import web-category-license “license token name”
Once the license has been imported, initiate a “web-category enable” command. This feature enables
the Thunder ADC device to communicate with the BrightCloud database server and download the URL
Classification database. When the download is complete, there will be a “Done” confirmation from the CLI if the
import was successfully initiated; otherwise, an error message will appear. For an additional debugging and
installation reference, please refer to the Webroot Category Installation Guide4.
vThunder(config)#import web-category-license license use-mgmt-port scp://
example@10.100.2.20/home/jsmith/webroot_license.json
Done. <-- this brief message confirms successful import of the
license
If a failure occurs, ACOS will display an error message similar to the following:
vThunder(config)# import web-category-license license use-mgmt-port scp://
example@10.100.2.20/home/jsmith/webroot_license.json
Communication with license server failed <-- this message indicates
failed import
Note: The Webroot database will download from the data interface by default. There is an option to configure from
the management interface but it is not recommended.
To enable the Webroot URL classification feature, you must have the following configuration within the client
SSL template.
Here is a sample configuration:
slb template client-ssl ssli-client-template
forward-proxy-enable
forward-proxy-bypass web-category financial-services
forward-proxy-bypass web-category business-and-economy
forward-proxy-bypass web-category health-and-medicine
4
22
Appendix C. Dynamic Port Intercept

The Dynamic Port Intercept feature dynamically detects and intercepts any HTTPS traffic on any TCP session,
regardless of the protocol running on top of TCP. To configure Dynamic Port Intercept within an A10 device,
the SSL Insight configuration can remain the same except with a few changes. In order to configure the
Internal Thunder ADC for Dynamic Port Intercept, the administrator needs to deploy 2 separate real servers
configurations namely for standard SSL traffic and the another real server configuration specific for bypassed
and non-SSL traffic. For the External A10 device, it will require 2 real server configure geared for SSL traffic and
Non-SSL traffic which forwards all traffic to the Internet default gateway.
Configuration Samples for Dynamic Port Intercept

slb server Gateway 10.10.4.1
health-check-disable
port 0 tcp
port 0 udp
!
!
slb service-group Outbound_TCP tcp
member Gateway 0
!
slb service-group Outbound_UDP udp
member Gateway 0
!
slb template server-ssl Server-SSL
!
slb virtual-server Outside_SSLi_VIP 0.0.0.0 acl 101
port 0 tcp-proxy
service-group Outbound_TCP
template server-ssl Server-SSL
no-dest-nat
use-rcv-hop-for-resp
!
slb virtual-server Outside_nonSSLi_VIP 0.0.0.0 acl 102
port 0 tcp
service-group Outbound_TCP
no-dest-nat
port 0 udp
service-group Outbound_UDP
no-dest-nat
port 0 others
service-group Outbound_UDP
no-dest-nat
!
end
23
Appendix D. Single Appliance SSL Insight Solution

This section provides instructions on how to configure the ADP devices within a single A10 appliance. To
deploy SSL Insight, you will need at least 2 partitions; one to decrypt SSL traffic and a second appliance to
encrypt SSL traffic.
To create a partition, navigate to the right-hand side of the GUI and click the dropdown under Partition: shared,
then select +Create.
Administrator account privilege is required to create partitions:
Partition Name Device ID Type
Internal Unique Number ADC
External Unique Number ADC
Figure 5. Partition creation
To navigate from one partition to another, select the top right-hand corner under Partition:”xxxx” and select the
appropriate partition to configure.
Here are a few commonly used CLI commands for an ADP configuration:
• To create a partition:
- SSLi(config)#partition “internal” id 2 application-type adc
• To switch from one partition to another:
- SSLi(config)#active-partition “internal”
• Current active partition: internal
- SSLi[internal](config)#
Once the SSL Insight partitions have been configured, the Thunder ADC appliance should have at least three
partitions: Shared, Internal and External.
Note: Please make sure that you are on the correct partition when creating configurations. In addition, you will need
to use the command system ve-mac-scheme system-mac to support MAC address duplication in a single device
solution.
24
Appendix E. Appendix ICAP Support in Client Authentication

Architecture
The Internet Content Adaptation Protocol (ICAP) has become a defacto-standards in the security industry for
lightweight HTTP-like protocol that integrates with proxy servers or server load balancers. A10 has developed
an integration based on RFC3507 to support SSL Insight deployments.
To configure the A10 Thunder ADC to integrate with ICAP services, you must deploy your A10 device to act
as a forward-proxy server to intercept any HTTP and HTTPS traffic which is passed to the security device that
supports ICAP services.
HTTP HTTP
HTTP Client ICAP Internet
Security
Appliance
DLP/AV Services
Figure 6. ICAP integration
ICAP Workflow
1. The web client requests a GET (that is, an HTTP request) from the web server.
2. The Thunder ADC intercepts the request and forwards it to the ICAP server in an ICAP REQMOD message
to the ICAP server.
3. The ICAP server sends a REQMOD response to the Thunder ADC.
4. The ICAP REQMOD response and the actions taken by the Thunder ADC can be one or more of the
following:
• ICAP REQMOD response has Status Code 200 and contains an HTTP request.
The Thunder ADC sends the HTTP request contained in the ICAP response to the web server (instead of
the original intercepted HTTP request).
• ICAP REQMOD response has Status Code 204.
The Thunder ADC sends the original intercepted HTTP request to the web server.
• ICAP REQMOD response has Status Code 100.
The Thunder ADC sends more data to the ICAP server.
• ICAP REQMOD response has Status Code 200 contains an HTTP response.
The Thunder ADC does not send an HTTP request to the web server. Instead, it sends this HTTP
response back to client.
• ICAP REQMOD response has any other Status Code.
The Thunder ADC treats the ICAP response as if it were Status Code 204.
25
Configuration Requirements
The following configuration requirements enables Thunder ADC to support ICAP Client Authentication with any
AV or DLP solutions.
1. Configure the IP addresses of the ICAP server and create the ICAP service group:
ACOS(config)#slb server ICAP_SG1_Path 10.1.260.11
ACOS(config)#slb service-group ICAP_sg http
ACOS(config-slb svc group)#member ICAP_SG1_Path 1344
2. Create the ICAP REQMOD template. Include the ICAP service group and the URL of the ICAP REQMOD
server:
ACOS(config)#slb template reqmod-icap reqmod_abcd
ACOS(config-reqmod-icap)#service-group ICAP_sg
ACOS(config-reqmod-icap)#service-uri icap://abcd.com/reqmod_abcd
3. Create the ICAP RESPMOD template. Include the ICAP service group and the URL of the ICAP RESPMOD
server:
ACOS(config)#slb template respmod-icap respmod_abcd
ACOS(config-respmod-icap)#service-group ICAP_sg
ACOS(config-respmod-icap)#service-uri icap://abcd.com/respmod_abcd
4. Apply the SLB RESPMOD and REQMOD templates to the http port of the virtual server:
ACOS(config)#slb virtual-server outbound_wildcard 0.0.0.0 acl 100
ACOS(config-slb vserver)#port 443 https
ACOS(config-slb vserver-vport)#template reqmod-icap reqmod_abcd
ACOS(config-slb vserver-vport)#template respmod-icap respmod_abcd
Appendix F. Bypass Client Certificate Authentication

Some HTTPS servers might require client certificate authentication (CAC/PKI) when the server authenticates
incoming requests based on the certificate in the client’s certificate store. If SSL Insight lacks the necessary
client certificate and key information, CAC will fail when requested by the server.
Client authentication traffic is dynamically detected and automatically bypassed, based on general SNI
matches.
For example in Figure 7, after the Thunder ADC receives the client hello message from the client, the device
checks whether this server’s certificate is saved in the cache. If the certificate has not been saved, Internal
Thunder ADC starts a server SSL connection to the backend server to retrieve the certificate. Internal Thunder
ADC also detects whether the backend server requires client certificate authentication. If the server requires
backend authentication, Internal Thunder ADC stops retrieving the certificate and checks whether the server
name matches the configuration condition to bypass the traffic.
Note: To bypass the traffic, Internal Thunder ADC stops SSL Insight processing and switches from HTTPS processing to
generic TCP proxy processing.
26
Internal Thunder ADC External Thunder ADC

VIP (0.0.0.0:443) VIP (0.0.0.0:8080)
port translation:443 > 8080 port translation:8080 > 443
TCP TCP
Firewall
Client Certificate Response Client Certificate Response
Bypassed SSL Connection
Client Server
Figure 7. Bypass client certificate authentication
Client Authentication Traffic Network Example

The A10 Thunder devices do not have the private key of the real servers such as mail.google.com and mail.
yahoo.com. Instead of the real server’s certificate, Internal Thunder ADC uses its own public/private key pairs.
Because the certificates on the Internal Thunder ADC is a CA cert file, and is trusted by the client, the client’s
browser will not display a warning about the “fake” certificate.
Configuration for Bypassing SSL Insight for Client Authentication Traffic

You can bypass SSL Insight for client authentication traffic by entering the following commands on each of the
servers for which you want to bypass the traffic:
slb template client-ssl clientssl
forward-proxy-bypass client-auth case-insensitive
forward-proxy-bypass client-auth class-list testclass
forward-proxy-bypass client-auth contains jsmith
forward-proxy-bypass client-auth ends-with abc
forward-proxy-bypass client-auth equals test.hello.com
forward-proxy-bypass client-auth starts-with efg
The following list provides additional information about the options:

• case-insensitive means that a case insensitive forward proxy bypass occurs.
• class-list means that forward proxy bypass occurs when the SNI string matches the class-list.
• client-auth means that forward proxy bypass occurs when the client cert auth is requested.
• contains means that forward proxy bypass occurs when the SNI string contains another string.
• ends-with means that forward proxy bypass occurs when the SNI string ends with another string.
• equals means that the forward proxy bypass occurs when the SNI string equals another string.
• starts-with means that forward proxy bypass occurs when the SNI string starts with another string.
Sample Configuration for Bypassing SSL Insight for Client Authentication Traffic
To configure this feature, complete the following tasks:
• Configuring the Internal Thunder ADC device
• Configuring the External Thunder ADC device
27
Configuring the Internal Thunder ADC Device

The following output shows how to configure the Internal Thunder ADC device:
class-list bypass ac
starts-with a10a10
equals ssl-i
contains hello.com
!
access-list 101 permit ip 2.2.2.0 0.0.0.255 any
!
interface ethernet 4
ip address 2.2.2.2 255.255.255.0
ip allow-promiscuous-vip
!
slb server s1 3.3.3.1
port 8080 tcp
no health-check
!
slb service-group sg1 tcp
!
!
slb service-group sg1-8080 tcp
member s1:8080
!
!
slb template client-ssl ssl_int
cert new_self.crt
key new_self.key
forward-proxy-ca-cert new_self.crt
forward-proxy-ca-key new_self.key
forward-proxy-bypass client-auth contains abc.com
forward-proxy-bypass client-auth equals a10a10
forward-proxy-bypass client-auth class-list bypass
!
slb virtual-server vs1 0.0.0.0 acl 101
extended-stats
port 443 https
service-group sg1-8080
template client-ssl ssl_int
Configuring the External Thunder ADC Device

The following CLI output shows how to configure the External Thunder ADC device:
access-list 101 permit tcp any any eq 8080
interface ethernet 3
ip address 3.3.3.2 255.255.255.0
ip allow-promiscuous-vip
!
slb template server-ssl ssl_int
!
!
28
slb server s2 3.3.3.1

port 443 tcp
no health-check
!
slb service-group sg1-443 tcp
member s2:443
!
!
slb virtual-server vs2 0.0.0.0 acl 101
port 8080 http
service-group sg1-443
template server-ssl ssl_int
Appendix G. Explicit Proxy

Explicit Proxy Configuration
The Explicit Proxy feature enables the Thunder ADC device to control client access to hosts based on lists of
allowed traffic source (clients) and destination (hosts).
Class-List
Internet
Policy Template
Client Explicit Proxy
Figure 8: Bypass client certificate authentication
This feature is available in ACOS release 2.7.2 and was reintroduced in ACOS release 4.0.1 SP9. When this feature
is enabled, an HTTP virtual port on the Thunder ADC device intercepts the HTTP requests from the client,
validates both the source and destination and forwards only those requests that come from valid sources and
destinations, and are sent to permitted destinations. Destinations are validated based on URL or hostname
strings. For approved destinations, the DNS is used to obtain the IP addresses.
Note: All Explicit Proxy integration with SSL Insight must be deployed in a partition (ADP). Integration of Explicit Proxy
and SSL Insight in the same partition or appliance will be supported in future releases.
Sample Configuration for Explicit Proxy

The Class-list will match on the alphabetic strings that contain any of the 26 letters of the English alphabet. If
the string matches it will forward to the correct destination.
class-list dest ac
contains example
contains google
contains test
!
class-list dest1 ac
contains example1
contains america
!
class-list dest2 ac
contains bank
contains sample
!
class-list src ipv4
192.0.2.212/32
29
203.0.113.0/24 198.51.100.0/24
!
slb server fake-server 192.168.230.101
port 80 tcp
port 443 tcp
!
slb server ubuntu_serv 192.168.221.70
port 80 tcp
port 443 tcp
slb service-group fake-sg tcp

member fake-server 80
member fake-server 443
!
slb service-group ubuntu_sg tcp
member ubuntu_serv 80
member ubuntu_serv 443
!
slb template policy test
forward-policy
action a1
forward-to-internet fake-sg snat snat fallback ubuntu_sg snat snat
log
action a2
forward-to-service-group ubuntu_sg snat snat
log
action a3
drop
log
source s1
match-class-list src
destination class-list dest action a1 url priority 10
destination class-list dest1 action a2 url priority 300
destination class-list dest2 action a3 url priority 15
source s2
match-any
destination any action a1
slb virtual-server test 10.50.10.123
port 8080 http
service-group fake-sg
template policy test
!
Note: The fake-server and fake-sg are required as placeholders for action forward-to-internet.
30
Appendix H. Detailed Walkthrough of SSL Insight Packet FLow
Clients A10 Thunder ADC Firewall A10 Thunder ADC Server
Encrypted Zone Clear Text Zone Encrypted Zone
SYN
SYN/ACK
ACK
Client-Hello
1
SYN
SYN/ACK
ACK
Client-Hello
Server-Hello
(Server Cert – Public Key
Signed by well known CA)
Server-Hello SSL-Handshake Messages

2 + Finished
(Server Cert +
Local Public Key +
signed by local CA)
RST
SSL-Handshake
Messages
+ Finished
Encrypted
Application Data 3
Clear Text 4
SYN
Application
Data SYN/ACK
ACK
Client-Hello
SSL Handshake
Messages +
Finished
Encrypted
Application Data
Encrypted Application
5
Response
6 Clear Text
Encrypted Application
Application Data Response
1 If the certificate exists in cache, send it to client and 3 Data decrypted and sent in clear text
move to (2). Otherwise, establish SSL connection through firewall
with the remote server and get the certificate from
the remote server. 4 SSL-Reverse-Proxy:
New SSL session initiated with remote server.
2 Extract header information from server certificate. Data encrypted and sent to remote server
Change Issuer and the Public Key as exist in Client-
SSL-Template. Reassign the new certificate using the 5 Response is decrypted and sent through firewall
CA-Certificate as exist in the Client-SSL-Template.
Send the reconstructed Server-Hello to client. 6 Response is encrypted again and sent to client
Figure 9. SSL Insight packet flow
31
Appendix I. SSL Insight Certificate Installation Guide

A prerequisite for configuring Thunder ADC’s SSL Insight feature is generating a CA certificate with a known
private key. This CA certificate must then be installed to all client machines on the internal network. If the CA
certificate is not installed, internal users will see an SSL “untrusted root” error whenever they try to connect to
an SSL-enabled website.
This guide includes the following contents:
• Generating a CA Certificate
• Exporting a Certificate from Thunder ADC
• Installing a Certificate in Microsoft Windows 7 for Microsoft Internet Explorer
• Installing a Certificate in Google Chrome
• Installing a Certificate in Mozilla Firefox
Generating a CA Certificate
The SSLI Insight feature relies on an SSL certificate and key pair to encrypt traffic between clients and the
Thunder ADC appliance. A self-signed certificate can be generated by the Thunder ADC appliance or can be
created by a Linux system with OpenSSL installed. Alternatively, an ADC administrator can request and install a
CA-signed certificate from the Thunder ADC appliance. For instructions on requesting a CA-signed certificate,
please see the Application Delivery and Server Load Balancing Guide5.
To generate a self-signed certificate from Thunder ADC in ACOS version 4.0.1:
1. Select ADC > SSL Management.
2. Click Create.
3. Enter the name: SSLi-CA
4. Common name: SSLi-CA
5. Enter the rest of the certificate information in the remaining fields of the Certificate section.
Note: If you need to create a wildcard certificate, use an asterisk as the first part of the common name.
6. From the Key drop-down list, select the length in bits for the key. (2048 is the recommended key size)
7. Click Create. The Thunder ADC device generates the self-signed certificate and a key. The new certificate
and key appears in the certificate list. The certificate is ready to be used in client-SSL and server-SSL
templates.
5
32
Other Options to Generate a Certificate

Instead of creating a self-signed certificate within Thunder ADC, administrators can generate a certificate from
a Linux server. The following two commands can generate and initialize a CA certificate on a Linux system with
an OpenSSL package installed. Once generated, the certificate can be imported onto the Thunder ADC device
using FTP or SCP.
openssl genrsa -out ca.key
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
The root certificate must be imported onto the client machines. This can be done manually or using an
automated service such as Microsoft Group Policy Manager.
Note: Further details for Group Policy Manager can be found at: http://technet.microsoft.com/en-us/library/cc772491.
aspx
Exporting a Certificate from Thunder ADC

To export a self-signed certificate from Thunder ADC from the Thunder ADC GUI in ACOS 4.0.1:
1. Select ADC > SSL Management.
2. On the menu bar, select the Certificate.
3. Click Export.
Notes: If the browser security settings normally block downloads, you may need to override the settings. For example,
in Internet Explorer, hold the Ctrl key while clicking Export. See the Application Delivery and Server Load Balancing
Guide6 for more information and for instructions for the command line interface (CLI).
Installing a Certificate in Microsoft Windows 7 for Internet Explorer

To import an untrusted or self-signed CA certificate into your Windows 7 computer, you must be logged on
as an administrator, and the untrusted or self-signed CA certificate should have been imported onto your
computer already.
1. Open Certificate Manager by clicking the Start button
2. Type certmgr.msc into the search box and then press Enter.
3. If you’re prompted for an administrator password or confirmation, type the password or provide
confirmation.
6
33
4. In Certificate Manager, select the folder that you want to import the certificate into. In this exercise, we
have selected the folder: Trusted Root Certification Authorities > Certificates.
5. Click the Action menu, point to All Tasks, and then click Import.
34
6. In Certificate Import Wizard, click Next to proceed to the File Import page.
7. Select Browse to locate the certificate file that is to be imported.
Note: the Open dialog box only displays X.509 certificates by default. If you want to import another type of certificate,
select the certificate type you want to import in the Open dialog box and click Open.
35
8. Click the Next button.
9. Click the Next button.
36
10. Confirm your selections and click Finish.
11. In the Security Warning popup window, select Yes, since you made an informed decision to import this
certificate.
37
12. If the import is successful, you will see a dialog box with the message “The import was successful.”
13. You can see the newly installed CA certificate under the specified folder.
38
Installing Certificate in Google Chrome

1. To install the CA certificate on Google Chrome, open the Chrome browser.
2. Click the “Customize and Control Google Chrome” option located on the right hand corner of the
browser window.
3. Navigate to the HTTPS/SSL section of Chrome Settings and click the Manage certificates button.
39
4. In the certificate folder on the Trusted Root Certification Authorities tab, click the Import button and a
Certificate Import Wizard will appear.
5. In the Certificate Import Wizard, click the Next button.
40
6. Click the Next button to browse to the location of the CA certificate.
7. Once the correct certificate has been located, click Next to install the certificate in the “Trusted Root
Certificate Authorities” certificate store. Click Next and Finish and then click OK.
41
Installing a Certificate in Mozilla Firefox

Mozilla Firefox utilizes a certificate store and all root CA certificates are stored within the certificate store.
In order for SSL Insight to perform properly, each client must download and install the SSL root certificate.
Otherwise, Firefox will generate an error message warning clients about SSL error connection attempts.
1. To install an SSL root certificate in Firefox, launch the Firefox browser and open the Options window.
42
2. From the Options window, select the Advanced settings option and then click the Certificate tab. From
the Certificates window, click the View Certificates button. Mozilla will display the Certificate Manager
dialog.
3. Click the Import button.

4. Navigate to where the certificate is located and click Open. A Downloading Certificate window will be
displayed.
5. Select the Trust this CA to identify websites checkbox and click OK. Now, the certificate should be
imported and the client machine can access HTTPS applications without receiving an error message.
43
Appendix J. SSL Insight 4.0.3 Features

OCSP Certificate Validation
The OCSP Certificate Validation is a critical feature in SSL Insight, as it offers the capability to validate an external
server when acting as a proxy server. With OCSP certificate validation, it uses an ACOS SSL certificate to validate
if an SSL certificate is valid or expired as indicated by the Certificate Authority (CA). Before the SSL session is
initiated, the following transaction is initiated to validate the current state of a server certificate. Keep in mind
that OCSP validation is only initiated in the backend SSL server certificate.
After the TCP connection has been established within Internal Thunder ADC device and client, the OCSP
certificate validation begins:
ADP 1 ADP 2
“Internal” “External”
ÒClient
ÒFirewall
ÒFirewall
ÒRouter No (Drop Session)
Internet
Remote Server
Client Internal Thunder ADC/
External Thunder ADC Yes, Valid
Certificate
OCSP Server
Figure 10: OCSP detailed cert validation process
44
3
Server
Internet Resolve
Verification ‘Good;
Verification ’Revoked’ Internal
Verification ‘Unknown’ Thunder ADC
Yes
External Certificate
No
OCS entry in contains OCSP
Thunder ADC cache? information?
No
Firewall Yes
Connect to
OCSP
1 2 Certificate
Server
If no OCSP
4 Stapling
Support
Internal
Thunder ADC
5 Resolve Failed Fetch Fail?
(default: drop
connection)
Resolve
Verification ‘Good’
Client Connection?
Verification ‘Revoked’ Yes
Verification’Unknown’
OCSP Certificate
Server
1 CA certifcates are imported onto the Internal 4 If the server response contains the stapled OCSP
Thunder ADC device. status as “good,” then an SSL connection is established
between the Thunder ADC device and the client.
2 The internal Thunder ADC device establishes If the OCSP stapling is not supported, the Internal
a TCP connection and begins an SSL handshake Thunder ADC device requests certification information
with the remote server. from the OCSP certificate server.
3 The server response with its certificate and 5 If the certification of the external server is “revoked,”
staples OCSP status if OCSP stapling is supported the SSL connection is either dropped or bypassed
by the server. depending on the Thunder ADC configuration.
If the certification of the external Thunder ADC device
is “good,” the SSL proxy connection is established
between the client and Thunder ADC device.
Figure 11: OCSP detailed cert validation process
OCSP Certificate Validation Process

1. The internal Thunder ADC device contacts the OCSP server embedded within the Authority Information
Access (AIA) field in the certificate sent by the Internet Server. An OCSP request is sent to the OCSP URL
within the AIA field in each certificate inside the chain, for which the internal Thunder ADC does not
already have an OCSP cache entry. If the OCSP URL is an HTTP URL, an HTTP connection is initiated to
that OCSP responder. If the OCSP URL is an HTTPS URL, the Thunder ADC device will not continue with
OCSP verification for that certificate/certificate chain.
45
2. If the OCSP server responds that the certificate is valid, the internal Thunder ADC device caches the
certificate validity information with its expiration time expressed in seconds. If this OCSP entry expires
while a forged certificate corresponding to it is still in the cache, then that forged certificate is also
aged out. When a new client request comes to the Thunder ADC device for the same website, the OCSP
verification and certificate forging process repeats again.
3. If the OCSP server responds that the certificate is not valid, then depending on the Thunder ADC device
configuration, Thunder ADC will either drop the connection or bypasses SSL proxy to allow the client to
connect directly to the external server.
Note: OCSP certificate validation is enabled by default. To disable the OCSP verification from the CLI, use the following
command:
slb template client-ssl ssli
forward-proxy-ocsp-disable
There are a few different options to configure OCSP cert validation, therefore, an administrator has to
understand how the different OCSP cert validations are configured. The internal Thunder ADC device will only
be configured and no changes or feature enabling will be required in the external Thunder ADC device.
Note: This new feature (in 4.0.3) can only be configured in CLI. Configuration via the GUI will be available in a future
release.
To configure OCSP server validation, the following CLI commands are required:
• Source NAT Pool - required for OCSP Server and Thunder Server Verification Module (SVM) to dynamically
initiate TCP connections. In the TCP connections, it will require a source NAT pool address for OCSP server
connections. The following commands are required to make the OCSP server to function:
Thunder-Internal(config) #ip nat pool ocsp 5.5.5.100 5.5.5.100 netmask /24
Thunder-Internal(config) #slb svm-source-nat pool ocsp
• DNS Required - to be able to look up the IP address of the OCSP server for cert validation, a DNS server
on the internal Thunder ADC device has to be configured. A secondary DNS IP address can also be
configured for redundancy purposes.
Thunder-Internal(config) #ip dns primary 8.8.8.8
Once the required CLI are configured, configure the SSL Client template in the internal Thunder ADC device
with the following commands:
Thunder-Internal(config) #slb template client-ssl SSLInsight_ClientSide
Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca ALL_CAs
Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca ALL_
intermediate
Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca new_self.crt
Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca CA1
Thunder-Internal(config-client SSL) #forward-proxy-ca-cert enterpriseABC-
selfsigned
Thunder-Internal(config-client SSL) #forward-proxy-ca-key enterpriseABC-key
Thunder-Internal(config-client SSL) #forward-proxy-enable
Other options within OCSP cert validation is to enable the internal Thunder ADC device to drop if the certificate
from the external server is not valid. By default, internal Thunder ADC device does not drop connection for
invalid certs.
#forward-proxy-trusted-ca
46
The command “Forward-proxy-trusted-ca” will bypass all client connections if the external server cert is invalid.
To drop the external server connection, the following CLI command in the SSL Client Template:
#forward-proxy-verify-cert-drop
Route configuration for inline single appliance with L3V partition is required. The port 443 HTTPS on the
wildcard VIP must include the DNS server and non-HTTP protocols must be bypassed. You must create a
dynamic services template and bind it to the internal Thunder ADC device VIP.
To define the Dynamic service template, configure the following:
Thunder-Internal(config) #slb template dynamic-service dl
Thunder-Internal(config-dynamic service) #dns server 8.8.8.8
Thunder-Internal(config-dynamic-service) #exit
Once the Dynamic-Service is defined, bind the dynamic-service template in the internal Thunder ADC device
VIP
Thunder-Internal(config) #slb virtual-server Inside_VIP 0.0.0.0 acl 100
Thunder-Internal(config-slb vservice) #port 443 https
Thunder-Internal(config-slb vserver-vport) #no-dest-nat port-translation
Thunder-Internal(config-slb vserver-vport) #service-groip FW1_Inspect_SG
Thunder-Internal(config-slb vserver-vport) #use-rcv-hop-for-resp
Thunder-Internal(config-slb vserver-vport) #template dynamic-service dl
Thunder-Internal(config-slb vserver-vport) #template http non-http-bypass
Thunder-Internal(config-slb vserver-vport) #template client-ssl SSLInsight_
ClientSide
Thunder-Internal(config-slb vserver-vport) #exit
SSL Debug Alert Messages

This feature can be used to monitor a session that shows why the SSL session failed. This debugging option is
not enabled by default. This debug message feature can be enabled from a client or server SSL template and
alerts will be provided with brief description. The alert can trigger during an SSL handshake or while sending/
receiving application data. Fatal alerts will only be logged. The Thunder ADC device will only log the fatal level
and is not customizable. To enable this feature, use the ACOS CLI and run the following command:
inside(config-client ssl)#enable-tls-alert-logging fatal
Note: this feature can be enabled on the Internal or External Thunder ADC device.
Attached are a lists of fatal SSL alerts that ACOS outputs.

[“close_notify”] = 0,
[“unexpected_message”] = 10,
[“bad_record_mac”] = 20,
[“decryption_failed”] = 21,
[“record_overflow”] = 22,
[“decompression_failure”] = 30,
[“handshake_failure”] = 40,
[“no_certificate”] = 41,
[“bad_certificate”] = 42,
[“unsupported_certificate”] = 43,
[“certificate_revoked”] = 44,
[“certificate_expired”] = 45,
[“certificate_unknown”] = 46,
[“illegal_parameter”] = 47,
[“unknown_ca”] = 48,
[“access_denied”] = 49,
[“decode_error”] = 50,
47
[“decrypt_error”] = 51,
[“export_restriction”] = 60,
[“protocol_version”] = 70,
[“insufficient_security”] = 71,
[“internal_error”] = 80,
[“user_canceled”] = 90,
[“no_renegotiation”] = 100,
[“unsupported_extension”] = 110,
[“certificate_unobtainable”] = 111,
[“unrecognized_name”] = 112,
[“bad_certificate_status_response”]= 113,
[“bad_certificate_hash_value”] = 114,
[“unknown_psk_identity”] = 115
Forward Proxy Failsafe

This Forward Proxy Failsafe is a new feature in release 4.0.3 that enables the ACOS to dynamically bypass the
SSL Insight request when ACOS is unable to fetch the server certificate. This feature is enabled by default and
auto bypassed transactions are logged within syslog automatically with a keyword log of “bypassed.” This is only
available in the Client SSL template.
Success
SSL Handshake
Server
Client
Failed
SSL Failure Failsafe Bypass
Command to disable Forward Proxy Failsafe:

slb template client-ssl ssli
enable-tls-alert-logging fatal
forward-proxy-ca-cert 2k.pem
forward-proxy-ca-key 2k.key
forward-proxy-failsafe-disable
forward-proxy-bypass web-category financial-services
forward-proxy-bypass web-category health-and-medicine
non-ssl-bypass service-group nonssli-tcp
Forward Proxy Inspect

The Forward Proxy Inspect feature inspects Aho-Corasick class-list and performs SSL Insight if it matches to the
class-list entries. A match process is initiated and if there is a match on the class-list then the SSL Insight process
will continue. If the forward proxy inspection fails, then the SSL session is dropped.
48
Client-SSL template
Fail SSL Session

No Class-list Match
is dropped
Forward
Client Proxy Inspect
Aho-Corasick Class-list match

Success
“.com” Server
“.edu”
To enable this feature, the class-list strings (case sensitive) must be defined and supports “starts-with,” “ends-
with,” and “contains or equal.”
Internal Thunder ADC Ends-with Class-list Sample

class-list test ac
contains ssl-inspect1
ends-with .com
ends-with .edu
Internal Thunder ADC Client SSL template Sample:

slb template client-ssl client-ssl
forward-proxy-ca-cert ssl-ca
forward-proxy-ca-key ssl-ca
forward-proxy-inspect inspect-list test
Internal Thunder ADC Key-string Length Class-list Sample

class-list max-length-key-string ac
contains 012345678901234567890123456789.012345678901234567890123456789.0123
45678901234567890123456789.012345678901234567890123456789.0123456789012345678
90123456789.012345678901234567890123456789.012345678901234567890123456789.0123
45678901234567890123456789.0123456
!
slb template client-ssl client-ssli
forward-proxy-ca-cert ax-1024
forward-proxy-ca-key ax-1024
forward-proxy-inspect inspect-list max-length-key-string
49
Appendix K. Reference Topologies

SSL Insight – Inline Single Appliance Deployment
Firewall or inline
Security Device
HTTP
ADP 1 ADP 2
Internet
SSL SSL
Secure Traffic
Clear Traffic
The Inline Single Appliance Deployment Mode provides SSL visibility to an inline security device. This
configuration has the following topology description:
• One partition decrypts SSL traffic and forwards it to security devices
• A second partition encrypts traffic
• L2 deployment
SSL Insight – Inline and Passive Mode Security Devices

SSL HTTP HTTP SSL
Internet
SWG IPS/Firewall
Secure Web
Gateway
Secure Traffic
Client
Clear Traffic
ATP / SIEM
The Inline and Passive Deployment Mode shows multiple security devices running on Layer 2 configuration or
on a TAP mode using mirror port configuration. This configuration has the following topology description:
• Open once and inspect multiple times
• Multiple security devices
• Inline (Layer 2) and passive (TAP) mode devices supported on SPAN/Mirror Port
SSL Insight – Network and Passive Mode Security Devices

ATP / SIEM
SSL HTTP HTTP SSL
Internet
Client SWG IPS/Firewall
Secure Traffic Secure Web
Gateway
Clear Traffic
The Network and Passive Deployment Mode shows multiple security devices running on Layer 3 configuration
or on a TAP mode using mirror port configuration. This configuration has the following topology description:
• Open once and inspect multiple times
• Multiple security devices
• Network (Layer 3) and passive (TAP) mode devices supported on SPAN/Mirror Port
• High availability (HA) Support
50
SSL Insight – Inline Mode with Explicit Proxy

Firewall or Inline
Security Device
HTTP
SSL
(Explicit Proxy) ADP 1 ADP 2 ADP 3 SSL
Internet
Client
Secure Traffic
Clear Traffic
First A10 Partition

Forwards the explicit proxy
Second A10 Partition Third A10 Partition
traffic to SSL; HTTP Connect Forwards SSL traffic Converts HTTP back to SSL;
Header is removed and d to HTTP and sends traffic to HTTPS traffic is forwarded
estination IP is changed firewall for inspection to destination
The Inline Mode with Explicit Proxy Deployment Mode is a combination of Explicit Proxy with SSL Insight
solutions. The first partition is configured as Explicit Proxy and the second and third partitions will be used for
SSL Insight configuration.
SSL Insight – ICAP Topology with Explicit Proxy
Data Loss
Prevention
(DLP)
reqmod/ Firewall or Inline

respmod Security Device
ADP 1 ADP 2
Internet
SSL SSL
Secure Traffic
Clear Traffic
The ICAP Topology with Explicit Proxy Deployment Mode provides an SSL visibility to an ICAP enabled DLP. This
configuration has the following topology description:
• Requires an ICAP template and then bound to a vPort
• ICAP solution is based on RFC standards 3507
• Configurable and solution can work with internal and external Thunder Series devices
51
SSL Insight in Passive Inline with Explicit Proxy

ATP / SIEM
Firewall/IPS
HTTP
SSL
(Explicit Proxy) ADP 1 ADP 2 ADP 3 SSL
Internet
Client
Secure Traffic
Clear Traffic
The Passive Inline with Explicit Proxy Deployment offers explicit proxy configuration and supports multiple
inline and passive (TAP) security devices. Customers may deploy in explicit proxy mode when they are replacing
an existing explicit proxy or prefer it over our standard SSL proxy.
Inline Mode with Bypass Switch/AFO

Firewall or Inline
Security Device
HTTP
ADP 1 ADP 2
SSL
SSL
Internet
Bypass Switch Bypass Traffic
Secure Traffic
Clear Traffic
The Inline Mode with Bypass Switch/AFO Deployment shows standard inline deployment mode with the
option to deploy a bypass switch. AFO-Active Failover Open utilizes network traffic as a heartbeat. If the
network heartbeat fails, the traffic will switch to bypass mode with network interruptions.
HA Inline Mode with Bypass Switch/AFO
Firewall or inline
Security Device
HTTP
SSL
SSL
Internet
Bypass Bypass Traffic
Secure Traffic Switch
Clear Traffic
The Inline Mode with Bypass Switch/AFO Deployment shows standard inline (L2) mode in a multi-device
deployment with a bypass switch option. AFO-Active Failover Open utilizes network traffic as a heartbeat. If the
network heartbeat fails, the traffic will switch to bypass mode with network interruptions
52
About A10 Networks

A10 Networks is a leader in application networking, providing a range of high-performance application
networking solutions that help organizations ensure that their data center applications and networks
remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose,
California, and serves customers globally with offices worldwide. For more information, visit:
www.a10networks.com
Corporate Headquarters Worldwide Offices To learn more about the A10 Thunder Application Service
Gateways and how it can enhance your business, contact
A10 Networks, Inc North America Hong Kong
3 West Plumeria Ave. sales@a10networks.com HongKong@a10networks.com A10 Networks at: www.a10networks.com/contact or call
San Jose, CA 95134 USA to talk to an A10 sales representative.
Europe Taiwan
Tel: +1 408 325-8668 emea_sales@a10networks.com taiwan@a10networks.com
Fax: +1 408 325-8666 South America Korea
www.a10networks.com latam_sales@a10networks.com korea@a10networks.com
Japan South Asia
jinfo@a10networks.com SouthAsia@a10networks.com
Part Number: A10-DG-16154-EN-04 China Australia/New Zealand
Dec 2015 china_sales@a10networks.com anz_sales@a10networks.com
©2015 A10 Networks, Inc. All rights reserved. A10 Networks, the A10 Networks logo, ACOS, Thunder and SSL Insight are trademarks or
registered trademarks of A10 Networks, Inc. in the United States and other countries. All other trademarks are property of their respective
owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice. For the full list of trademarks, visit: www.a10networks.com/a10-trademarks. 53

A10 DG 16154 en

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

A10 DG 16154 en

Caricato da

Copyright:

Formati disponibili

DEPLOYMENT GUIDE

SSL Insight Deployment for Thunder ADC

Appendix J. SSL Insight 4.0.3 Features..........................................................................................................................................................................44

Figure 1. SSL Insight and Firewall Load Balancing topology example

3.1 SSL Insight with an Inline Security Deployment

External Thunder ADC

Internal Thunder ADC

Figure 3. SSL Insight overview

4 New SSL Insight Features

Note: The features described above are shown in detail in Appendix J.

4.1.2 Enhancements for ACOS 4.0.1

slb ssl-create certificate <certificate name>

5.1 Thunder ADC Appliance Configuration Overview

5.1.1 Network Configuration Overview

5.1.2 SSL Insight Configuration Overview

5.1.3 Security Device Configuration

6 Configuration Steps for Thunder ADC Appliances

6.1 Network Configuration on the Thunder ADC Appliances

VLAN VE IP Address Interface

6.2 Configure VLANs and add Ethernet and Router Interfaces

Using the GUI:

6.3 Configure IP Addresses on the VLAN Router Interfaces

Using the GUI:

5. Enter the IP Address and Subnet and click add.

7. Click update and continue.

6.4 SSL Insight Configuration on the Thunder ADC Appliances

6.4.1 Internal Thunder ADC Appliance

Using the GUI:

5. Enter port parameters:

Configure a Service Group

Using the GUI:

Configure the Client-SSL Template

Using the CLI:

Using the GUI:

Configure the ACL

Using the GUI:

Configure the Wildcard VIP

Using the GUI:

4. From the Virtual Port area click Create.

6. Enter or select the following settings:

6.4.2 External Thunder ADC Appliance

Add TCP Port 443 to the Default Gateway

Add TCP Port 0 and UDP Port 0 to the Default Gateway

Bind the Server Ports to a Service Group

Configure the Server-SSL Template

Using the GUI:

Configure an ACL to Intercept Incoming Traffic on VLAN-15 for a Wildcard VIP

Configure the Wildcard VIP

7 Configuration Steps for Security Device

For more information about Thunder ADC products:

Appendix A. Complete Configuration File for the Thunder ADC

Internal Unit Configuration External Unit Configuration

Appendix B. Webroot BrightCloud URL Classification

A10 Thunder ADC Web Classification

Figure 4. A10 and Webroot architecture

Appendix C. Dynamic Port Intercept

Configuration Samples for Dynamic Port Intercept

Appendix D. Single Appliance SSL Insight Solution

Figure 5. Partition creation

Appendix E. Appendix ICAP Support in Client Authentication

HTTP Client ICAP Internet

Figure 6. ICAP integration

Appendix F. Bypass Client Certificate Authentication