Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Table of Contents
1 Overview....................................................................................................................................................................................................................................4
2 Deployment Prerequisites...............................................................................................................................................................................................4
3 Architecture Overview.......................................................................................................................................................................................................4
3.1 SSL Insight with an Inline Security Deployment....................................................................................................................................5
4 New SSL Insight Features ................................................................................................................................................................................................6
4.1 Features............................................................................................................................................................................................................................6
4.2 CA Certificate ...............................................................................................................................................................................................................6
5 Configuration Overview...................................................................................................................................................................................................7
5.1 Thunder ADC Appliance Configuration Overview................................................................................................................................7
6 Configuration Steps for Thunder ADC Appliances...........................................................................................................................................8
6.1 Network Configuration on the Thunder ADC Appliances................................................................................................................9
6.2 Configure VLANs and add Ethernet and Router Interfaces.............................................................................................................9
6.3 Configure IP Addresses on the VLAN Router Interfaces..................................................................................................................10
6.4 SSL Insight Configuration on the Thunder ADC Appliances.......................................................................................................10
7 Configuration Steps for Security Device..............................................................................................................................................................18
8 Summary.................................................................................................................................................................................................................................19
Appendix........................................................................................................................................................................................................................................20
Appendix A. Complete Configuration File for the Thunder ADC Appliance........................................................................................20
Appendix B. Webroot BrightCloud URL Classification .......................................................................................................................................21
Appendix C. Dynamic Port Intercept............................................................................................................................................................................23
Configuration Samples for Dynamic Port Intercept.....................................................................................................................................23
Appendix D. Single Appliance SSL Insight Solution............................................................................................................................................24
Appendix E. Appendix ICAP Support in Client Authentication Architecture......................................................................................25
ICAP Workflow......................................................................................................................................................................................................................25
Configuration Requirements......................................................................................................................................................................................26
Appendix F. Bypass Client Certificate Authentication .......................................................................................................................................26
Configuration for Bypassing SSL Insight for Client Authentication Traffic.....................................................................................27
Sample Configuration for Bypassing SSL Insight for Client Authentication Traffic...................................................................27
Appendix G. Explicit Proxy..................................................................................................................................................................................................29
Explicit Proxy Configuration........................................................................................................................................................................................29
Appendix H. Detailed Walkthrough of SSL Insight Packet FLow.................................................................................................................31
Appendix I. SSL Insight Certificate Installation Guide.........................................................................................................................................32
Generating a CA Certificate.........................................................................................................................................................................................32
Installing a Certificate in Microsoft Windows 7 for Internet Explorer................................................................................................33
Installing Certificate in Google Chrome .............................................................................................................................................................39
Installing a Certificate in Mozilla Firefox...............................................................................................................................................................42
Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to
fitness for a particular use and noninfringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate,
but A10 Networks assumes no responsibility for its use. All information is provided “as-is.” The product specifications and features described in this
publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not
be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks’ products and
services are subject to A10 Networks’ standard terms and conditions.
2
Deployment Guide | SSL Insight Deployment for Thunder ADC
3
Deployment Guide | SSL Insight Deployment for Thunder ADC
1 Overview
Security devices such as firewalls, intrusion detection systems (IDS), data loss prevention (DLP), analytics and
forensics, and advanced threat prevention platforms require visibility into all traffic, including SSL traffic, to
discover attacks, intrusions, and data exfiltration hidden in encrypted communications. Many types of security
devices are deployed non-inline to monitor network traffic. These devices cannot decrypt out bound SSL traffic.
Growing SSL bandwidth, coupled with increasing SSL key lengths and more computationally complex SSL
ciphers, make it difficult for even the most powerful inline security devices to decrypt SSL traffic. To solve
this challenge, A10 Networks® Thunder® ADC line of application delivery controllers’ SSL Insight™ feature
eliminates the blind spot imposed by SSL encryption, offloading CPU-intensive SSL decryption functions that
enable security devices to inspect encrypted traffic – not just clear text. The Thunder ADC SSL Insight feature
acts as an SSL forward proxy, intercepts SSL encrypted traffic, decrypts it and forwards it through a firewall or
Intrusion Prevention System (IPS). It can also mirror the unencrypted traffic to non-inline security devices such
as analytics or forensics products. A second Thunder ADC appliance then takes this traffic and encrypts it again,
and sends it to the remote destination.
Using A10’s Application Delivery Partitions (ADPs), it is possible to use a single Thunder ADC appliance for
encryption, decryption, and load balancing.
2 Deployment Prerequisites
Here are the requirements for an SSL Insight deployment:
• Thunder ADC appliances with A10 Networks Advanced Core Operating System (ACOS®) version 4.0.3 SP9
or later
• Third-party security device such as a firewall, security analytics or forensics appliance or threat prevention
platform
• Deployed in inline (Layer2), routed (Layer 3) or ICAP mode (DLP or AV ICAP enabled solutions only)
Note: The CLI commands and GUI screenshots presented in this guide are based on ACOS version 4.0.1 SP9. There are
some features in this release that may require CLI configuration only. If the guide does not provide the GUI, then it is
only available for CLI configuration.
3 Architecture Overview
This section illustrates a joint solution using Thunder ADC appliances and a third-party security device for SSL
Insight capability. The SSL Insight services are provided by Thunder ADC appliances while traffic inspection and
monitoring services are provided by third-party security devices. This is a simple, in-line SSL Intercept solution,
using two Thunder ADC appliances for SSL decryption and re-encryption.
For additional SSL Insight deployment options, please refer to Appendix J.
Note: The security devices in this deployment guide are setup in Layer 2 (L2) mode.
Security
Internal Appliance External
Client Internet
4
Deployment Guide | SSL Insight Deployment for Thunder ADC
ADP 1 ADP 2
“Internal” “External”
ÒClient ÒFirewall
ÒFirewall ÒRouter
Client
Internet
Security
Appliance
Figure 2. SSL Insight and Firewall Load Balancing topology in one-box solution
Note: Please refer to the ACOS Application Delivery & Server Load Balancing Guide1 for additional details on the SSL
Insight feature.
Application Server
Internet
3 Encrypted
Inspection
and Protection
DLP UTM
2 Decrypted
IDS Others
1 Encrypted
Client
5
Deployment Guide | SSL Insight Deployment for Thunder ADC
4.1 Features
4.1.1 Enhancements for ACOS 4.0.3
• OCSP Support for Server Certificate Validation – this feature is an enhancement version of the server
certificate validation introduced in 4.0.3. This feature is used to validate a server certificate before enabling
an SSL session with a remote server. This provides support for OCSP and OCSP stapling.
• Debug Messages for SSL Failures – this feature enables TLS alerts to be logged when an SSL session
fails, and can be deployed on a client or server SSL template.
• Forward Proxy Failsafe – this feature is a bypass option when an SSL forward proxy fails. Enabling this
feature will bypass SSL Insight traffic when SSL handshake fails.
• Forward Proxy Inspect – this feature inspects Aho-Corasick class-list and performs SSL Insight if it
matches to the class-list entries.
Note: To see configuration details for these features, refer to the A10 Thunder System and Administration Guide2. These
features are all available in the 4.0.1 SP9 build.
4.2 CA Certificate
A prerequisite for configuring the SSL Insight feature is a CA certificate with a known private key, such as a self-
signed CA certificate generated on the A10 Thunder ADC appliance or on a Linux system.
The following CLI command generates and initializes a self-signed CA certificate on the Thunder ADC
appliance:
2
Go to https://www.a10networks.com/support to download/view this guide. Site registration is required.
6
Deployment Guide | SSL Insight Deployment for Thunder ADC
The following two commands generate and initialize a CA certificate on a Linux system with an OpenSSL
package installed:
openssl genrsa -out <name>.key
openssl req -new -x509 -days 3650 -key <name>.key -out <name>.crt
Once generated, the certificate can be imported onto the Thunder ADC appliances in the internal zone using
SFTP or SCP.
import ssl-cert <certificate name> scp://[user@]host/<source file>
This CA certificate must also be pushed to all client machines on the internal network. If the CA certificate
is not pushed, the internal hosts will get an SSL “untrusted root” error whenever they try to connect to a
site with SSL enabled. This can be done manually (see Appendix C), or using an automated service such as
Microsoft Group Policy Manager. Automated login scripts can achieve the same result for organizations that
use Linux or UNIX clients.
Note: Further details for Group Policy Manager can be found at:
http://technet.microsoft.com/en-us/library/cc772491.aspx
5 Configuration Overview
Configuration options for the SSL Insight feature are as follows:
1. Network configuration on the Thunder ADC appliance
2. SSL Insight configuration on the Thunder ADC appliance
3. Configuration on the third-party security device
This guide follows the first approach where the Thunder ADC appliances are configured with untagged VLAN
interfaces.
7
Deployment Guide | SSL Insight Deployment for Thunder ADC
-- Client-SSL template is used for this. The Client-SSL template includes the required command forward-
proxy-enabled, along with the local CA certificate (from 4.1) and its private key which is used for
signing dynamically forged certificates.
• The remote VE address of Thunder ADC is added as an SLB server, establishing the security device path.
Port 8080 is defined for the security device path.
-- The command slb server defines a security device path and port number 8080 is added.
• Along with the protocol (HTTPS to HTTP), the destination port also gets changed from 443 to 8080.
-- Service group is defined with port 8080 and bound to the virtual port.
• However, the destination IP (i.e. Internet server IP) remains unchanged.
• The command no-dest-nat port-translation achieves this.
-- The incoming SSL traffic is intercepted and decrypted, and is then forwarded in clear text over HTTP on
port 8080 through the security device.
SSL Insight Configuration on External Thunder ADC Appliance
SSL Insight configuration on the external Thunder ADC appliance is simpler compared to the internal Thunder
ADC appliance configuration. This configuration has the following key elements:
• Clear-text HTTP traffic entering on port 8080 is intercepted.
-- Port 8080 is defined under a wildcard VIP to achieve this.
• The next-hop gateway (default router) is defined as an SLB server.
-- The command slb server defines the default router IP address and port number 443 is added.
• Along with the protocol (HTTP to HTTPS), the destination port also gets changed from 8080 to 443.
-- Service group is defined with port 443 and bound to the virtual port.
• However, the destination IP (i.e. Internet Server IP) remains unchanged.
-- The command no-dest-nat port-translation achieves this.
• Incoming HTTP traffic is converted into SSL traffic and sent out on port 443.
-- A server-SSL template is defined and applied to the virtual port. The template includes the command
forward-proxy-enable. Optionally, a root CA certificate store file also may be applied to the server-SSL
template.
8
Deployment Guide | SSL Insight Deployment for Thunder ADC
9
Deployment Guide | SSL Insight Deployment for Thunder ADC
10
Deployment Guide | SSL Insight Deployment for Thunder ADC
On the right hand side of the GUI within the Port section click Create.
4. Enter port parameters:
• Port: “8080”
• Protocol: “TCP”
• Health Monitor: Select blank (disabled).
• Click Add.
11
Deployment Guide | SSL Insight Deployment for Thunder ADC
Note: In ACOS 4.0.x code, the CLI configuration has been updated such that the configuration in 2.7 code requires a “:”
when you configure the server device and port. In version 4.0.1 the colon in the CLI is not required.
12
Deployment Guide | SSL Insight Deployment for Thunder ADC
10. Select the Existing Server option and select, SecurityDevice1_Path from the drop-down list.
11. Select the Port, “0”.
12. Click Add.
13. Repeat for UDP port 0.
14. Click OK.
Note: These steps assume that the CA certificate and the private key has been uploaded to the Thunder ADC
appliance. For instructions on uploading CA certificates and keys, please refer to the ACOS Application Delivery and
Server Load balancing Guide3.
3
Go to https://www.a10networks.com/support to download/view this guide. Site registration is required.
13
Deployment Guide | SSL Insight Deployment for Thunder ADC
14
Deployment Guide | SSL Insight Deployment for Thunder ADC
15
Deployment Guide | SSL Insight Deployment for Thunder ADC
• Direct Server Return: Select Enabled, and select the Port Translation checkbox.
• Client-SSL Template: “SSLInsight_ClientSide”
16
Deployment Guide | SSL Insight Deployment for Single-appliance Architecture
Note: For brevity, only the CLI commands are shown in this section.
17
Deployment Guide | SSL Insight Deployment for Single-appliance Architecture
18
Deployment Guide | SSL Insight Deployment for Thunder ADC
8 Summary
Unprecedented growth in encrypted traffic, coupled with increasing SSL key lengths and more computationally
complex SSL ciphers, makes it difficult for inline security devices to decrypt SSL traffic. A wide range of security
devices require visibility into encrypted traffic to discover attacks, intrusions and malware. SSL Insight, included
as a standard feature of Thunder ADC, offers organizations a powerful load-balancing, high availability and SSL
decryption solution. Using SSL Insight, organizations can:
• Analyze all network data, including encrypted data, eliminating blind spots in their threat protection
solution
• Provide advanced SSL inspection features and SSL decryption for third-party security devices
• Detect encrypted malware, insider abuse and attacks transported over SSL/TLS
• Deploy best-of-breed content inspection solutions to fend off cyber attacks
• Maximize the performance, availability and scalability of corporate networks by leveraging A10’s 64-bit
ACOS platform, Flexible Traffic Acceleration (FTA) technology and specialized security processors
19
Deployment Guide | SSL Insight Deployment for Thunder ADC
Appendix
The Appendix section provides a list of configuration options as referred to in the main document. Some
features shown may have not have GUI configuration. We suggest using the CLI-only configuration samples
until the next ACOS release becomes available.
20
Deployment Guide | SSL Insight Deployment for Thunder ADC
Internet Server
Encrypted
Internet
Decrypted
Internet
Encrypted
Client
21
Deployment Guide | SSL Insight Deployment for Thunder ADC
When a user’s client browser sends a request to a URL, ACOS checks the category of the URL.
• If the category of the URL is allowed by the configuration, the Internal Thunder ADC device leaves
the data encrypted and sends it to the SSL Insight outside device, which sends the encrypted data to
the server.
• If the category of the URL is not allowed by the configuration, the Internal Thunder ADC device decrypts
the traffic and sends it to the traffic inspection device.
Installation requirements:
• Must have a Webroot/BrightCloud URL Classification Subscription and per Thunder ADC device licensing
(contact your Regional Sales Director for pricing).
• Internal Thunder ADC must have access to the Internet for Webroot database download.
• DNS configuration is required.
To install the URL classification feature, you must have a Webroot token license sent from the A10 Global
License Manager (GLM). Once received, initiate the following command within CLI only:
SSLi(config)#internal Import web-category-license “license token name”
Once the license has been imported, initiate a “web-category enable” command. This feature enables
the Thunder ADC device to communicate with the BrightCloud database server and download the URL
Classification database. When the download is complete, there will be a “Done” confirmation from the CLI if the
import was successfully initiated; otherwise, an error message will appear. For an additional debugging and
installation reference, please refer to the Webroot Category Installation Guide4.
vThunder(config)#import web-category-license license use-mgmt-port scp://
example@10.100.2.20/home/jsmith/webroot_license.json
Done. <-- this brief message confirms successful import of the
license
If a failure occurs, ACOS will display an error message similar to the following:
vThunder(config)# import web-category-license license use-mgmt-port scp://
example@10.100.2.20/home/jsmith/webroot_license.json
Communication with license server failed <-- this message indicates
failed import
Note: The Webroot database will download from the data interface by default. There is an option to configure from
the management interface but it is not recommended.
To enable the Webroot URL classification feature, you must have the following configuration within the client
SSL template.
Here is a sample configuration:
slb template client-ssl ssli-client-template
forward-proxy-enable
forward-proxy-bypass web-category financial-services
forward-proxy-bypass web-category business-and-economy
forward-proxy-bypass web-category health-and-medicine
4
Go to https://www.a10networks.com/support to download/view this guide. Site registration is required.
22
Deployment Guide | SSL Insight Deployment for Thunder ADC
23
Deployment Guide | SSL Insight Deployment for Thunder ADC
To navigate from one partition to another, select the top right-hand corner under Partition:”xxxx” and select the
appropriate partition to configure.
Here are a few commonly used CLI commands for an ADP configuration:
• To create a partition:
- SSLi(config)#partition “internal” id 2 application-type adc
• To switch from one partition to another:
- SSLi(config)#active-partition “internal”
• Current active partition: internal
- SSLi[internal](config)#
Once the SSL Insight partitions have been configured, the Thunder ADC appliance should have at least three
partitions: Shared, Internal and External.
Note: Please make sure that you are on the correct partition when creating configurations. In addition, you will need
to use the command system ve-mac-scheme system-mac to support MAC address duplication in a single device
solution.
24
Deployment Guide | SSL Insight Deployment for Thunder ADC
HTTP HTTP
Security
Appliance
DLP/AV Services
ICAP Workflow
1. The web client requests a GET (that is, an HTTP request) from the web server.
2. The Thunder ADC intercepts the request and forwards it to the ICAP server in an ICAP REQMOD message
to the ICAP server.
3. The ICAP server sends a REQMOD response to the Thunder ADC.
4. The ICAP REQMOD response and the actions taken by the Thunder ADC can be one or more of the
following:
• ICAP REQMOD response has Status Code 200 and contains an HTTP request.
The Thunder ADC sends the HTTP request contained in the ICAP response to the web server (instead of
the original intercepted HTTP request).
• ICAP REQMOD response has Status Code 204.
The Thunder ADC sends the original intercepted HTTP request to the web server.
• ICAP REQMOD response has Status Code 100.
The Thunder ADC sends more data to the ICAP server.
• ICAP REQMOD response has Status Code 200 contains an HTTP response.
The Thunder ADC does not send an HTTP request to the web server. Instead, it sends this HTTP
response back to client.
• ICAP REQMOD response has any other Status Code.
The Thunder ADC treats the ICAP response as if it were Status Code 204.
25
Deployment Guide | SSL Insight Deployment for Thunder ADC
Configuration Requirements
The following configuration requirements enables Thunder ADC to support ICAP Client Authentication with any
AV or DLP solutions.
1. Configure the IP addresses of the ICAP server and create the ICAP service group:
ACOS(config)#slb server ICAP_SG1_Path 10.1.260.11
ACOS(config-real server)#port 1344 tcp
ACOS(config)#slb service-group ICAP_sg http
ACOS(config-slb svc group)#member ICAP_SG1_Path 1344
2. Create the ICAP REQMOD template. Include the ICAP service group and the URL of the ICAP REQMOD
server:
ACOS(config)#slb template reqmod-icap reqmod_abcd
ACOS(config-reqmod-icap)#service-group ICAP_sg
ACOS(config-reqmod-icap)#service-uri icap://abcd.com/reqmod_abcd
3. Create the ICAP RESPMOD template. Include the ICAP service group and the URL of the ICAP RESPMOD
server:
ACOS(config)#slb template respmod-icap respmod_abcd
ACOS(config-respmod-icap)#service-group ICAP_sg
ACOS(config-respmod-icap)#service-uri icap://abcd.com/respmod_abcd
4. Apply the SLB RESPMOD and REQMOD templates to the http port of the virtual server:
ACOS(config)#slb virtual-server outbound_wildcard 0.0.0.0 acl 100
ACOS(config-slb vserver)#port 443 https
ACOS(config-slb vserver-vport)#template reqmod-icap reqmod_abcd
ACOS(config-slb vserver-vport)#template respmod-icap respmod_abcd
Note: To bypass the traffic, Internal Thunder ADC stops SSL Insight processing and switches from HTTPS processing to
generic TCP proxy processing.
26
Deployment Guide | SSL Insight Deployment for Thunder ADC
Firewall
Client Server
Sample Configuration for Bypassing SSL Insight for Client Authentication Traffic
To configure this feature, complete the following tasks:
• Configuring the Internal Thunder ADC device
• Configuring the External Thunder ADC device
27
Deployment Guide | SSL Insight Deployment for Thunder ADC
!
slb server s1 3.3.3.1
port 8080 tcp
no health-check
!
slb service-group sg1 tcp
!
!
slb service-group sg1-8080 tcp
member s1:8080
!
!
slb template client-ssl ssl_int
cert new_self.crt
key new_self.key
forward-proxy-enable
forward-proxy-ca-cert new_self.crt
forward-proxy-ca-key new_self.key
forward-proxy-bypass client-auth contains abc.com
forward-proxy-bypass client-auth equals a10a10
forward-proxy-bypass client-auth class-list bypass
!
slb virtual-server vs1 0.0.0.0 acl 101
extended-stats
port 443 https
service-group sg1-8080
template client-ssl ssl_int
no-dest-nat port-translation
!
slb template server-ssl ssl_int
forward-proxy-enable
!
!
28
Deployment Guide | SSL Insight Deployment for Thunder ADC
Class-List
Internet
Policy Template
Client Explicit Proxy
Figure 8: Bypass client certificate authentication
This feature is available in ACOS release 2.7.2 and was reintroduced in ACOS release 4.0.1 SP9. When this feature
is enabled, an HTTP virtual port on the Thunder ADC device intercepts the HTTP requests from the client,
validates both the source and destination and forwards only those requests that come from valid sources and
destinations, and are sent to permitted destinations. Destinations are validated based on URL or hostname
strings. For approved destinations, the DNS is used to obtain the IP addresses.
Note: All Explicit Proxy integration with SSL Insight must be deployed in a partition (ADP). Integration of Explicit Proxy
and SSL Insight in the same partition or appliance will be supported in future releases.
29
Deployment Guide | SSL Insight Deployment for Thunder ADC
203.0.113.0/24 198.51.100.0/24
!
slb server fake-server 192.168.230.101
port 80 tcp
port 443 tcp
health-check-disable
!
slb server ubuntu_serv 192.168.221.70
port 80 tcp
port 443 tcp
30
Deployment Guide | SSL Insight Deployment for Thunder ADC
SYN
SYN/ACK
ACK
Client-Hello
1
SYN
SYN/ACK
ACK
Client-Hello
Server-Hello
(Server Cert – Public Key
Signed by well known CA)
1 If the certificate exists in cache, send it to client and 3 Data decrypted and sent in clear text
move to (2). Otherwise, establish SSL connection through firewall
with the remote server and get the certificate from
the remote server. 4 SSL-Reverse-Proxy:
New SSL session initiated with remote server.
2 Extract header information from server certificate. Data encrypted and sent to remote server
Change Issuer and the Public Key as exist in Client-
SSL-Template. Reassign the new certificate using the 5 Response is decrypted and sent through firewall
CA-Certificate as exist in the Client-SSL-Template.
Send the reconstructed Server-Hello to client. 6 Response is encrypted again and sent to client
31
Deployment Guide | SSL Insight Deployment for Thunder ADC
Generating a CA Certificate
The SSLI Insight feature relies on an SSL certificate and key pair to encrypt traffic between clients and the
Thunder ADC appliance. A self-signed certificate can be generated by the Thunder ADC appliance or can be
created by a Linux system with OpenSSL installed. Alternatively, an ADC administrator can request and install a
CA-signed certificate from the Thunder ADC appliance. For instructions on requesting a CA-signed certificate,
please see the Application Delivery and Server Load Balancing Guide5.
To generate a self-signed certificate from Thunder ADC in ACOS version 4.0.1:
1. Select ADC > SSL Management.
2. Click Create.
3. Enter the name: SSLi-CA
4. Common name: SSLi-CA
5. Enter the rest of the certificate information in the remaining fields of the Certificate section.
Note: If you need to create a wildcard certificate, use an asterisk as the first part of the common name.
6. From the Key drop-down list, select the length in bits for the key. (2048 is the recommended key size)
7. Click Create. The Thunder ADC device generates the self-signed certificate and a key. The new certificate
and key appears in the certificate list. The certificate is ready to be used in client-SSL and server-SSL
templates.
5
Go to https://www.a10networks.com/support to download/view this guide. Site registration is required.
32
Deployment Guide | SSL Insight Deployment for Thunder ADC
The root certificate must be imported onto the client machines. This can be done manually or using an
automated service such as Microsoft Group Policy Manager.
Note: Further details for Group Policy Manager can be found at: http://technet.microsoft.com/en-us/library/cc772491.
aspx
Notes: If the browser security settings normally block downloads, you may need to override the settings. For example,
in Internet Explorer, hold the Ctrl key while clicking Export. See the Application Delivery and Server Load Balancing
Guide6 for more information and for instructions for the command line interface (CLI).
6
Go to https://www.a10networks.com/support to download/view this guide. Site registration is required.
33
Deployment Guide | SSL Insight Deployment for Thunder ADC
4. In Certificate Manager, select the folder that you want to import the certificate into. In this exercise, we
have selected the folder: Trusted Root Certification Authorities > Certificates.
5. Click the Action menu, point to All Tasks, and then click Import.
34
Deployment Guide | SSL Insight Deployment for Thunder ADC
6. In Certificate Import Wizard, click Next to proceed to the File Import page.
Note: the Open dialog box only displays X.509 certificates by default. If you want to import another type of certificate,
select the certificate type you want to import in the Open dialog box and click Open.
35
Deployment Guide | SSL Insight Deployment for Thunder ADC
36
Deployment Guide | SSL Insight Deployment for Thunder ADC
11. In the Security Warning popup window, select Yes, since you made an informed decision to import this
certificate.
37
Deployment Guide | SSL Insight Deployment for Thunder ADC
12. If the import is successful, you will see a dialog box with the message “The import was successful.”
13. You can see the newly installed CA certificate under the specified folder.
38
Deployment Guide | SSL Insight Deployment for Thunder ADC
3. Navigate to the HTTPS/SSL section of Chrome Settings and click the Manage certificates button.
39
Deployment Guide | SSL Insight Deployment for Thunder ADC
4. In the certificate folder on the Trusted Root Certification Authorities tab, click the Import button and a
Certificate Import Wizard will appear.
40
Deployment Guide | SSL Insight Deployment for Thunder ADC
7. Once the correct certificate has been located, click Next to install the certificate in the “Trusted Root
Certificate Authorities” certificate store. Click Next and Finish and then click OK.
41
Deployment Guide | SSL Insight Deployment for Thunder ADC
42
Deployment Guide | SSL Insight Deployment for Thunder ADC
2. From the Options window, select the Advanced settings option and then click the Certificate tab. From
the Certificates window, click the View Certificates button. Mozilla will display the Certificate Manager
dialog.
5. Select the Trust this CA to identify websites checkbox and click OK. Now, the certificate should be
imported and the client machine can access HTTPS applications without receiving an error message.
43
Deployment Guide | SSL Insight Deployment for Thunder ADC
ADP 1 ADP 2
“Internal” “External”
ÒClient
ÒFirewall
ÒFirewall
ÒRouter No (Drop Session)
Internet
Remote Server
Client Internal Thunder ADC/
External Thunder ADC Yes, Valid
Certificate
OCSP Server
44
Deployment Guide | SSL Insight Deployment for Thunder ADC
3
Server
Internet Resolve
Verification ‘Good;
Verification ’Revoked’ Internal
Verification ‘Unknown’ Thunder ADC
Yes
External Certificate
No
OCS entry in contains OCSP
Thunder ADC cache? information?
No
Firewall Yes
Connect to
OCSP
1 2 Certificate
Server
If no OCSP
4 Stapling
Support
Internal
Thunder ADC
5 Resolve Failed Fetch Fail?
(default: drop
connection)
Resolve
Verification ‘Good’
Client Connection?
Verification ‘Revoked’ Yes
Verification’Unknown’
OCSP Certificate
Server
1 CA certifcates are imported onto the Internal 4 If the server response contains the stapled OCSP
Thunder ADC device. status as “good,” then an SSL connection is established
between the Thunder ADC device and the client.
2 The internal Thunder ADC device establishes If the OCSP stapling is not supported, the Internal
a TCP connection and begins an SSL handshake Thunder ADC device requests certification information
with the remote server. from the OCSP certificate server.
3 The server response with its certificate and 5 If the certification of the external server is “revoked,”
staples OCSP status if OCSP stapling is supported the SSL connection is either dropped or bypassed
by the server. depending on the Thunder ADC configuration.
If the certification of the external Thunder ADC device
is “good,” the SSL proxy connection is established
between the client and Thunder ADC device.
45
Deployment Guide | SSL Insight Deployment for Thunder ADC
2. If the OCSP server responds that the certificate is valid, the internal Thunder ADC device caches the
certificate validity information with its expiration time expressed in seconds. If this OCSP entry expires
while a forged certificate corresponding to it is still in the cache, then that forged certificate is also
aged out. When a new client request comes to the Thunder ADC device for the same website, the OCSP
verification and certificate forging process repeats again.
3. If the OCSP server responds that the certificate is not valid, then depending on the Thunder ADC device
configuration, Thunder ADC will either drop the connection or bypasses SSL proxy to allow the client to
connect directly to the external server.
Note: OCSP certificate validation is enabled by default. To disable the OCSP verification from the CLI, use the following
command:
slb template client-ssl ssli
forward-proxy-ocsp-disable
There are a few different options to configure OCSP cert validation, therefore, an administrator has to
understand how the different OCSP cert validations are configured. The internal Thunder ADC device will only
be configured and no changes or feature enabling will be required in the external Thunder ADC device.
Note: This new feature (in 4.0.3) can only be configured in CLI. Configuration via the GUI will be available in a future
release.
To configure OCSP server validation, the following CLI commands are required:
• Source NAT Pool - required for OCSP Server and Thunder Server Verification Module (SVM) to dynamically
initiate TCP connections. In the TCP connections, it will require a source NAT pool address for OCSP server
connections. The following commands are required to make the OCSP server to function:
Thunder-Internal(config) #ip nat pool ocsp 5.5.5.100 5.5.5.100 netmask /24
Thunder-Internal(config) #slb svm-source-nat pool ocsp
• DNS Required - to be able to look up the IP address of the OCSP server for cert validation, a DNS server
on the internal Thunder ADC device has to be configured. A secondary DNS IP address can also be
configured for redundancy purposes.
Thunder-Internal(config) #ip dns primary 8.8.8.8
Once the required CLI are configured, configure the SSL Client template in the internal Thunder ADC device
with the following commands:
Thunder-Internal(config) #slb template client-ssl SSLInsight_ClientSide
Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca ALL_CAs
Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca ALL_
intermediate
Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca new_self.crt
Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca CA1
Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca CA2
Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca CA3
Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca CA4
Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca CA5
Thunder-Internal(config-client SSL) #forward-proxy-ca-cert enterpriseABC-
selfsigned
Thunder-Internal(config-client SSL) #forward-proxy-ca-key enterpriseABC-key
Thunder-Internal(config-client SSL) #forward-proxy-enable
Other options within OCSP cert validation is to enable the internal Thunder ADC device to drop if the certificate
from the external server is not valid. By default, internal Thunder ADC device does not drop connection for
invalid certs.
#forward-proxy-trusted-ca
46
Deployment Guide | SSL Insight Deployment for Thunder ADC
The command “Forward-proxy-trusted-ca” will bypass all client connections if the external server cert is invalid.
To drop the external server connection, the following CLI command in the SSL Client Template:
#forward-proxy-verify-cert-drop
Route configuration for inline single appliance with L3V partition is required. The port 443 HTTPS on the
wildcard VIP must include the DNS server and non-HTTP protocols must be bypassed. You must create a
dynamic services template and bind it to the internal Thunder ADC device VIP.
To define the Dynamic service template, configure the following:
Thunder-Internal(config) #slb template dynamic-service dl
Thunder-Internal(config-dynamic service) #dns server 8.8.8.8
Thunder-Internal(config-dynamic-service) #exit
Once the Dynamic-Service is defined, bind the dynamic-service template in the internal Thunder ADC device
VIP
Thunder-Internal(config) #slb virtual-server Inside_VIP 0.0.0.0 acl 100
Thunder-Internal(config-slb vservice) #port 443 https
Thunder-Internal(config-slb vserver-vport) #no-dest-nat port-translation
Thunder-Internal(config-slb vserver-vport) #service-groip FW1_Inspect_SG
Thunder-Internal(config-slb vserver-vport) #use-rcv-hop-for-resp
Thunder-Internal(config-slb vserver-vport) #template dynamic-service dl
Thunder-Internal(config-slb vserver-vport) #template http non-http-bypass
Thunder-Internal(config-slb vserver-vport) #template client-ssl SSLInsight_
ClientSide
Thunder-Internal(config-slb vserver-vport) #exit
Note: this feature can be enabled on the Internal or External Thunder ADC device.
47
Deployment Guide | SSL Insight Deployment for Thunder ADC
[“decrypt_error”] = 51,
[“export_restriction”] = 60,
[“protocol_version”] = 70,
[“insufficient_security”] = 71,
[“internal_error”] = 80,
[“user_canceled”] = 90,
[“no_renegotiation”] = 100,
[“unsupported_extension”] = 110,
[“certificate_unobtainable”] = 111,
[“unrecognized_name”] = 112,
[“bad_certificate_status_response”]= 113,
[“bad_certificate_hash_value”] = 114,
[“unknown_psk_identity”] = 115
Success
SSL Handshake
Server
Client
Failed
48
Deployment Guide | SSL Insight Deployment for Thunder ADC
Client-SSL template
Forward
Client Proxy Inspect
To enable this feature, the class-list strings (case sensitive) must be defined and supports “starts-with,” “ends-
with,” and “contains or equal.”
49
Deployment Guide | SSL Insight Deployment for Thunder ADC
HTTP
ADP 1 ADP 2
Internet
SSL SSL
Secure Traffic
Clear Traffic
The Inline Single Appliance Deployment Mode provides SSL visibility to an inline security device. This
configuration has the following topology description:
• One partition decrypts SSL traffic and forwards it to security devices
• A second partition encrypts traffic
• L2 deployment
Internet
SWG IPS/Firewall
Secure Web
Gateway
Secure Traffic
Client
Clear Traffic
ATP / SIEM
The Inline and Passive Deployment Mode shows multiple security devices running on Layer 2 configuration or
on a TAP mode using mirror port configuration. This configuration has the following topology description:
• Open once and inspect multiple times
• Multiple security devices
• Inline (Layer 2) and passive (TAP) mode devices supported on SPAN/Mirror Port
Internet
Client SWG IPS/Firewall
Secure Traffic Secure Web
Gateway
Clear Traffic
The Network and Passive Deployment Mode shows multiple security devices running on Layer 3 configuration
or on a TAP mode using mirror port configuration. This configuration has the following topology description:
• Open once and inspect multiple times
• Multiple security devices
• Network (Layer 3) and passive (TAP) mode devices supported on SPAN/Mirror Port
• High availability (HA) Support
50
Deployment Guide | SSL Insight Deployment for Thunder ADC
SSL
(Explicit Proxy) ADP 1 ADP 2 ADP 3 SSL
Internet
Client
Secure Traffic
Clear Traffic
The Inline Mode with Explicit Proxy Deployment Mode is a combination of Explicit Proxy with SSL Insight
solutions. The first partition is configured as Explicit Proxy and the second and third partitions will be used for
SSL Insight configuration.
Data Loss
Prevention
(DLP)
ADP 1 ADP 2
Internet
SSL SSL
Secure Traffic
Clear Traffic
The ICAP Topology with Explicit Proxy Deployment Mode provides an SSL visibility to an ICAP enabled DLP. This
configuration has the following topology description:
• Requires an ICAP template and then bound to a vPort
• ICAP solution is based on RFC standards 3507
• Configurable and solution can work with internal and external Thunder Series devices
51
Deployment Guide | SSL Insight Deployment for Thunder ADC
Firewall/IPS
HTTP
SSL
(Explicit Proxy) ADP 1 ADP 2 ADP 3 SSL
Internet
Client
Secure Traffic
Clear Traffic
The Passive Inline with Explicit Proxy Deployment offers explicit proxy configuration and supports multiple
inline and passive (TAP) security devices. Customers may deploy in explicit proxy mode when they are replacing
an existing explicit proxy or prefer it over our standard SSL proxy.
HTTP
ADP 1 ADP 2
SSL
SSL
Internet
Bypass Switch Bypass Traffic
Secure Traffic
Clear Traffic
The Inline Mode with Bypass Switch/AFO Deployment shows standard inline deployment mode with the
option to deploy a bypass switch. AFO-Active Failover Open utilizes network traffic as a heartbeat. If the
network heartbeat fails, the traffic will switch to bypass mode with network interruptions.
Firewall or inline
Security Device
HTTP
SSL
SSL
Internet
Bypass Bypass Traffic
Secure Traffic Switch
Clear Traffic
The Inline Mode with Bypass Switch/AFO Deployment shows standard inline (L2) mode in a multi-device
deployment with a bypass switch option. AFO-Active Failover Open utilizes network traffic as a heartbeat. If the
network heartbeat fails, the traffic will switch to bypass mode with network interruptions
52
Deployment Guide | SSL Insight Deployment for Thunder ADC
Corporate Headquarters Worldwide Offices To learn more about the A10 Thunder Application Service
Gateways and how it can enhance your business, contact
A10 Networks, Inc North America Hong Kong
3 West Plumeria Ave. sales@a10networks.com HongKong@a10networks.com A10 Networks at: www.a10networks.com/contact or call
San Jose, CA 95134 USA to talk to an A10 sales representative.
Europe Taiwan
Tel: +1 408 325-8668 emea_sales@a10networks.com taiwan@a10networks.com
Fax: +1 408 325-8666 South America Korea
www.a10networks.com latam_sales@a10networks.com korea@a10networks.com
Japan South Asia
jinfo@a10networks.com SouthAsia@a10networks.com
Part Number: A10-DG-16154-EN-04 China Australia/New Zealand
Dec 2015 china_sales@a10networks.com anz_sales@a10networks.com
©2015 A10 Networks, Inc. All rights reserved. A10 Networks, the A10 Networks logo, ACOS, Thunder and SSL Insight are trademarks or
registered trademarks of A10 Networks, Inc. in the United States and other countries. All other trademarks are property of their respective
owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice. For the full list of trademarks, visit: www.a10networks.com/a10-trademarks. 53