SSL Insight Deployment for Thunder ADC DEPLOYMENT GUIDE

Transcription

1 SSL Insight Deployment for Thunder ADC DEPLOYMENT GUIDE

2 Table of Contents 1 Overview Deployment Prerequisites Architecture Overview SSL Insight with an Inline Security Deployment New SSL Insight Features Features CA Certificate Configuration Overview Thunder ADC Appliance Configuration Overview Configuration Steps for Thunder ADC Appliances Network Configuration on the Thunder ADC Appliances Configure VLANs and add Ethernet and Router Interfaces Configure IP Addresses on the VLAN Router Interfaces SSL Insight Configuration on the Thunder ADC Appliances Configuration Steps for Security Device Summary...19 Appendix...20 Appendix A. Complete Configuration File for the Thunder ADC Appliance...20 Appendix B. Webroot BrightCloud URL Classification...21 Appendix C. Dynamic Port Intercept...23 Configuration Samples for Dynamic Port Intercept...23 Appendix D. Single Appliance SSL Insight Solution...24 Appendix E. Appendix ICAP Support in Client Authentication Architecture...25 ICAP Workflow...25 Configuration Requirements...26 Appendix F. Bypass Client Certificate Authentication...26 Configuration for Bypassing SSL Insight for Client Authentication Traffic...27 Sample Configuration for Bypassing SSL Insight for Client Authentication Traffic...27 Appendix G. Explicit Proxy...29 Explicit Proxy Configuration...29 Appendix H. Detailed Walkthrough of SSL Insight Packet FLow...31 Appendix I. SSL Insight Certificate Installation Guide...32 Generating a CA Certificate...32 Installing a Certificate in Microsoft Windows 7 for Internet Explorer...33 Installing Certificate in Google Chrome...39 Installing a Certificate in Mozilla Firefox...42 Disclaimer This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fitness for a particular use and noninfringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided as-is. The product specifications and features described in this publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks products and services are subject to A10 Networks standard terms and conditions. 2

3 Appendix J. SSL Insight Features...44 OCSP Certificate Validation...44 OCSP Certificate Validation Process...45 SSL Debug Alert Messages...47 Forward Proxy Failsafe...48 Command to disable Forward Proxy Failsafe:...48 Forward Proxy Inspect...48 Internal Thunder ADC Ends-with Class-list Sample...49 Internal Thunder ADC Key-string Length Class-list Sample...49 Appendix K. Reference Topologies...50 SSL Insight Inline Single Appliance Deployment...50 SSL Insight Inline and Passive Mode Security Devices...50 SSL Insight Network and Passive Mode Security Devices...50 SSL Insight Inline Mode with Explicit Proxy...51 SSL Insight ICAP Topology with Explicit Proxy...51 SSL Insight in Passive Inline with Explicit Proxy...52 Inline Mode with Bypass Switch/AFO...52 HA Inline Mode with Bypass Switch/AFO...52 About A10 Networks

4 1 Overview Security devices such as firewalls, intrusion detection systems (IDS), data loss prevention (DLP), analytics and forensics, and advanced threat prevention platforms require visibility into all traffic, including SSL traffic, to discover attacks, intrusions, and data exfiltration hidden in encrypted communications. Many types of security devices are deployed non-inline to monitor network traffic. These devices cannot decrypt out bound SSL traffic. Growing SSL bandwidth, coupled with increasing SSL key lengths and more computationally complex SSL ciphers, make it difficult for even the most powerful inline security devices to decrypt SSL traffic. To solve this challenge, A10 Networks Thunder ADC line of application delivery controllers SSL Insight feature eliminates the blind spot imposed by SSL encryption, offloading CPU-intensive SSL decryption functions that enable security devices to inspect encrypted traffic not just clear text. The Thunder ADC SSL Insight feature acts as an SSL forward proxy, intercepts SSL encrypted traffic, decrypts it and forwards it through a firewall or Intrusion Prevention System (IPS). It can also mirror the unencrypted traffic to non-inline security devices such as analytics or forensics products. A second Thunder ADC appliance then takes this traffic and encrypts it again, and sends it to the remote destination. Using A10 s Application Delivery Partitions (ADPs), it is possible to use a single Thunder ADC appliance for encryption, decryption, and load balancing. 2 Deployment Prerequisites Here are the requirements for an SSL Insight deployment: Thunder ADC appliances with A10 Networks Advanced Core Operating System (ACOS ) version SP9 or later Third-party security device such as a firewall, security analytics or forensics appliance or threat prevention platform Deployed in inline (Layer2), routed (Layer 3) or ICAP mode (DLP or AV ICAP enabled solutions only) Note: The CLI commands and GUI screenshots presented in this guide are based on ACOS version SP9. There are some features in this release that may require CLI configuration only. If the guide does not provide the GUI, then it is only available for CLI configuration. 3 Architecture Overview This section illustrates a joint solution using Thunder ADC appliances and a third-party security device for SSL Insight capability. The SSL Insight services are provided by Thunder ADC appliances while traffic inspection and monitoring services are provided by third-party security devices. This is a simple, in-line SSL Intercept solution, using two Thunder ADC appliances for SSL decryption and re-encryption. For additional SSL Insight deployment options, please refer to Appendix J. Note: The security devices in this deployment guide are setup in Layer 2 (L2) mode. Internal Security Appliance External Client Internet Figure 1. SSL Insight and Firewall Load Balancing topology example 4

5 ADP 1 Internal ÒClient ÒFirewall ADP 2 External ÒFirewall ÒRouter Client Internet Security Appliance Figure 2. SSL Insight and Firewall Load Balancing topology in one-box solution 3.1 SSL Insight with an Inline Security Deployment The main feature of SSL Insight is to transparently intercept SSL traffic, decrypt it and send it through the security device(s) in clear text. After the security device has inspected the intercepted traffic, it is reencapsulated in SSL and sent to the destination. A ladder-diagram is provided in Appendix B to show this process in greater detail. There are three distinct stages for traffic in such a solution, depicted in Figure 2: 1. Encrypted: From client to the internal Thunder ADC appliance, where traffic is encrypted. 2. Decrypted: From the internal Thunder ADC appliance to the external Thunder ADC appliance, through the security device. Traffic is in clear text in this segment. 3. Encrypted: Traffic from the external Thunder ADC appliance to the remote server, where traffic is encrypted again. Note: Please refer to the ACOS Application Delivery & Server Load Balancing Guide 1 for additional details on the SSL Insight feature. Application Server Internet 3 Encrypted External Thunder ADC DLP UTM Inspection and Protection IDS Others 2 Decrypted Internal Thunder ADC 1 Encrypted Client Figure 3. SSL Insight overview 1 Go to to download/view this guide. Site registration is required. 5

6 4 New SSL Insight Features With the growing request of SSL Insight features, A10 has proactively delivered a new set of SSL Insight features in ACOS 4.x releases. Each upgrade release within 4.x has its special features and administrator must determine the build release based on solution needs. Upgrading to build will cover all the features of Features Enhancements for ACOS OCSP Support for Server Certificate Validation this feature is an enhancement version of the server certificate validation introduced in This feature is used to validate a server certificate before enabling an SSL session with a remote server. This provides support for OCSP and OCSP stapling. Debug Messages for SSL Failures this feature enables TLS alerts to be logged when an SSL session fails, and can be deployed on a client or server SSL template. Forward Proxy Failsafe this feature is a bypass option when an SSL forward proxy fails. Enabling this feature will bypass SSL Insight traffic when SSL handshake fails. Forward Proxy Inspect this feature inspects Aho-Corasick class-list and performs SSL Insight if it matches to the class-list entries. Note: The features described above are shown in detail in Appendix J Enhancements for ACOS With ACOS 4.0.1, A10 introduced significant new features and capabilities that lay the foundation of a rapid services integration platform for enterprise, cloud, and service provider networks. Within the A10 SSL Insight framework, the following features have been added: URL Classification Web Category Classifies all traffic that passes through the A10 device with the capability to bypass specific, sensitive data (for example, healthcare websites due to HIPAA regulations). Refer to Appendix B for more information. Single Appliance SSL Insight Feature Supports internal and external partitions deployed in a single A10 appliance. Refer to Appendix D for more information. Hypervisor-based SSL Insight Support Supports SSL Insight on ESXi, KVM and Hyper-V hypervisors through A10 Networks vthunder line of virtual appliances. Dynamic Port Intercept dynamically detects and intercepts the use of SSL, regardless of the protocol running on top of TCP. Refer to Appendix C for more information. ICAP Support in Client Authentication Architecture Enables the A10 device to support Internet Content Adaption Protocol (ICAP) on HTTP/HTTPS sessions. ICAP typically serves to provide data loss prevention (DLP) and antivirus services. Explicit Proxy Support for SSL Insight Enables the Thunder ADC device to control client access to hosts based on lists of allowed traffic source (clients) and destination (hosts). Bypass Client Authentication Traffic - Enables the A10 device to bypass certain HTTPS traffic that requires client certificate authentication (CAC/PKI). When subjecting this type of traffic to SSL Insight, the CAC transaction will fail. Note: To see configuration details for these features, refer to the A10 Thunder System and Administration Guide 2. These features are all available in the SP9 build. 4.2 CA Certificate A prerequisite for configuring the SSL Insight feature is a CA certificate with a known private key, such as a selfsigned CA certificate generated on the A10 Thunder ADC appliance or on a Linux system. The following CLI command generates and initializes a self-signed CA certificate on the Thunder ADC appliance: 2 Go to to download/view this guide. Site registration is required. 6

7 slb ssl-create certificate <certificate name> The following two commands generate and initialize a CA certificate on a Linux system with an OpenSSL package installed: openssl genrsa -out <name>.key openssl req -new -x509 -days key <name>.key -out <name>.crt Once generated, the certificate can be imported onto the Thunder ADC appliances in the internal zone using SFTP or SCP. import ssl-cert <certificate name> scp://[user@]host/<source file> This CA certificate must also be pushed to all client machines on the internal network. If the CA certificate is not pushed, the internal hosts will get an SSL untrusted root error whenever they try to connect to a site with SSL enabled. This can be done manually (see Appendix C), or using an automated service such as Microsoft Group Policy Manager. Automated login scripts can achieve the same result for organizations that use Linux or UNIX clients. Note: Further details for Group Policy Manager can be found at: 5 Configuration Overview Configuration options for the SSL Insight feature are as follows: 1. Network configuration on the Thunder ADC appliance 2. SSL Insight configuration on the Thunder ADC appliance 3. Configuration on the third-party security device 5.1 Thunder ADC Appliance Configuration Overview The following sections provide more information about the Thunder ADC configuration items listed in the previous section Network Configuration Overview This solution has one Thunder ADC appliance in the external zone of the security devices and another Thunder ADC appliance in the internal zone of the security devices. This solution assumes that the security devices are configured in L2 transparent mode. Therefore, the Thunder ADC interfaces can be configured in one of the following modes: As untagged VLAN interfaces with L3 Virtual Ethernet (VE) configured in the same subnet As tagged VLAN interfaces with L3 VEs configured in the same subnet As L3 PHY interfaces without requiring any VLANs This guide follows the first approach where the Thunder ADC appliances are configured with untagged VLAN interfaces SSL Insight Configuration Overview The SSL Insight configuration is slightly different on the external Thunder ADC appliance compared to the internal Thunder ADC appliance. The primary difference is that client-ssl and server-ssl templates are required on the internal and the external Thunder ADC appliance respectively. Only SSL traffic is intercepted. SSL Insight Configuration on Internal Thunder ADC Appliance SSL Insight configuration on the internal Thunder ADC appliance has the following key elements: SSL traffic entering on port 443 is intercepted. -- Port 443 is defined under a wildcard VIP to achieve this. The SSL server certificate is captured during the SSL handshake; all X.509 DN attributes are duplicated, except for the issuer and base64 encoded public key. 7

8 -- Client-SSL template is used for this. The Client-SSL template includes the required command forwardproxy-enabled, along with the local CA certificate (from 4.1) and its private key which is used for signing dynamically forged certificates. The remote VE address of Thunder ADC is added as an SLB server, establishing the security device path. Port 8080 is defined for the security device path. -- The command slb server defines a security device path and port number 8080 is added. Along with the protocol (HTTPS to HTTP), the destination port also gets changed from 443 to Service group is defined with port 8080 and bound to the virtual port. However, the destination IP (i.e. Internet server IP) remains unchanged. The command no-dest-nat port-translation achieves this. -- The incoming SSL traffic is intercepted and decrypted, and is then forwarded in clear text over HTTP on port 8080 through the security device. SSL Insight Configuration on External Thunder ADC Appliance SSL Insight configuration on the external Thunder ADC appliance is simpler compared to the internal Thunder ADC appliance configuration. This configuration has the following key elements: Clear-text HTTP traffic entering on port 8080 is intercepted. -- Port 8080 is defined under a wildcard VIP to achieve this. The next-hop gateway (default router) is defined as an SLB server. -- The command slb server defines the default router IP address and port number 443 is added. Along with the protocol (HTTP to HTTPS), the destination port also gets changed from 8080 to Service group is defined with port 443 and bound to the virtual port. However, the destination IP (i.e. Internet Server IP) remains unchanged. -- The command no-dest-nat port-translation achieves this. Incoming HTTP traffic is converted into SSL traffic and sent out on port A server-ssl template is defined and applied to the virtual port. The template includes the command forward-proxy-enable. Optionally, a root CA certificate store file also may be applied to the server-ssl template Security Device Configuration Third-party security devices must be configured according to the recommend best practices of the security vendor. The key requirements for enabling SSL Insight in this configuration are: ARP packets should be allowed for both internal and external Thunder ADC appliances. Health-check packets should be allowed from the internal Thunder ADC appliance to the external Thunder ADC appliance; unless health-checks are disabled. 6 Configuration Steps for Thunder ADC Appliances This section provides detailed steps for configuring SSL Insight on Thunder ADC. Complete configuration details for both internal and external Thunder ADC appliances are shown in Appendix A. 8

9 6.1 Network Configuration on the Thunder ADC Appliances The steps in this section configure the following networking parameters: VLANs and their router interfaces Virtual Ethernet (VE) interfaces, which are IP addresses assigned to VLAN router interfaces The goal is to achieve the following IP addressing scheme on both Thunder ADC appliances as shown in Figure 1: Internal ADC External ADC VLAN VE IP Address Interface / / / /24 eth1 eth5 eth1 eth5 6.2 Configure VLANs and add Ethernet and Router Interfaces Configure the following VLAN parameters on the internal Thunder ADC appliance as shown in Figure 1: VLAN-10: This is the uplink to the internal network. Add router-interface ve 10 along with the Ethernet interface. VLAN-15: This is the path to the external Thunder ADC appliance through the security device. Add routerinterface ve 15 along with the Ethernet interface. Using the CLI: ACOS(config)#vlan 10 ACOS(config-vlan:10)#untagged ethernet 1 ACOS(config-vlan:10)#router-interface ve 10 ACOS(config-vlan:10)#exit ACOS(config)#vlan 15 ACOS(config-vlan:15)#untagged ethernet 5 ACOS(config-vlan:15)#router-interface ve 15 ACOS(config-vlan:15)#exit Using the GUI: 1. Navigate to Network > VLAN. 2. Click Create. 3. Enter the VLAN ID, select the interfaces. 4. Name (Optional). 5. Check Create Virtual Interface. 6. Click Create VLAN. 7. Repeat for each VLAN. 9

10 6.3 Configure IP Addresses on the VLAN Router Interfaces Verify that you have enabled the promiscuous VIP option under ve10, in order to subject inbound traffic to wildcard VIP. Using the CLI: ACOS(config)#interface ve 10 ACOS(config-if:ve10)#ip address /24 ACOS(config-if:ve10)#ip allow-promiscuous-vip ACOS(config-if:ve10)#exit ACOS(config)#interface ve 15 ACOS(config-if:ve15)#ip address /24 ACOS(config-if:ve15)#exit Using the GUI: 1. Navigate to Network > Interfaces > Virtual Ethernets. The interfaces configured above should be visible. 2. Click edit on ifnum 100 and configure the general fields and IPv4 address. 3. Click update when done. 4. Repeat for each VE. 5. Enter the IP Address and Subnet and click add. 6. Enable Allow Promiscuous VIP option. 7. Click update and continue. Repeat the steps above on the external Thunder ADC appliance pair, and make sure to use unique IP addresses. 6.4 SSL Insight Configuration on the Thunder ADC Appliances SSL Insight configuration on the internal Thunder ADC appliance will intercept traffic on TCP port 443, decrypt it, and send it in clear text over TCP port 8080 to the security device. Consequently, the external Thunder ADC appliance will intercept clear text traffic arriving on TCP port 8080 and encrypt it back before sending it to the remote hosts. All other traffic will be bypassed using wildcard TCP and UDP ports as configured in the following sections. 10

11 6.4.1 Internal Thunder ADC Appliance Use the following steps to configure SSL Insight parameters in the internal Thunder ADC Appliance. Configure Server for VLAN-15 These steps configure an slb server with the VE address for VLAN 15 on the external Thunder ADC appliance. TCP port 8080 is added under the slb server for SSL Insight, along with wildcard TCP port 0 & UDP port 0 for all other traffic. Using the CLI: ACOS(config)#slb server SecurityDevice1_Path ACOS(config-real server)#port 8080 tcp ACOS(config-real server-node port)#no health-check ACOS(config-real server-node port)#exit ACOS(config-real server)#exit ACOS(config-real server)#port 0 tcp ACOS(config-real server-node port)#no health-check ACOS(config-real server-node port)#exit ACOS(config-real server)#exit ACOS(config-real server)#port 0 udp ACOS(config-real server-node port)#no health-check ACOS(config-real server-node port)#exit ACOS(config-real server)#exit Using the GUI: 1. Navigate to ADC > SLB > Servers. 2. Click Create. 3. Enter the following settings: Name: SecurityDevice1_Path Select IPv4 IP Address: On the right hand side of the GUI within the Port section click Create. 4. Enter port parameters: Port: 8080 Protocol: TCP Health Monitor: Select blank (disabled). Click Add. 11

12 5. Enter port parameters: Port: 0 Protocol: TCP Health Monitor: Select blank (disabled). Click Add. 6. Repeat for UDP port Click OK. Configure a Service Group The following steps will add the slb server to a service group. Using the CLI: ACOS(config)#slb service-group SSLi tcp ACOS(config-slb svc group)#member SecurityDevice1_Path 8080 ACOS(config-slb svc group)#exit ACOS(config)#slb service-group All_TCP tcp ACOS(config-slb svc group)#member SecurityDevice1_Path 0 ACOS(config-slb svc group)#exit ACOS(config)#slb service-group All_UDP udp ACOS(config-slb svc group)#member SecurityDevice1_Path 0 ACOS(config-slb svc group)#exit Note: In ACOS 4.0.x code, the CLI configuration has been updated such that the configuration in 2.7 code requires a : when you configure the server device and port. In version the colon in the CLI is not required. Using the GUI: 1. Navigate to ADC > SLB > Service Groups. 2. Click Create. 3. Enter the following parameters: Name: SSLi Type: TCP 4. Click on Create on the Member section. 5. Select the Existing Server option, and select SecurityDevice1_Path from the drop-down list. 6. Enter the Port, Click Create. 8. Enter the following parameters: Name: All_TCP Type: TCP 9. Click Create on Service Groups section. 12

13 10. Select the Existing Server option and select, SecurityDevice1_Path from the drop-down list. 11. Select the Port, Click Add. 13. Repeat for UDP port Click OK. Configure the Client-SSL Template These steps will show the configuration for the client-ssl template. The command forward-proxy-enable essentially enables SSL Insight on the client-ssl template. The forward-proxy is an A10 specific term and is different than the traditional explicit-proxy function. Note: These steps assume that the CA certificate and the private key has been uploaded to the Thunder ADC appliance. For instructions on uploading CA certificates and keys, please refer to the ACOS Application Delivery and Server Load balancing Guide 3. Using the CLI: ACOS(config)#slb template client-ssl SSLInsight_ClientSide ACOS(config-client ssl)#forward-proxy-ca-cert SSLi-CA ACOS(config-client ssl)#forward-proxy-ca-key SSLi-CA ACOS(config-client ssl)#forward-proxy-enable ACOS(config-client ssl)#exit Using the GUI: 1. Navigate to Config Mode > SLB > Template > SSL > Client SSL. 2. Click Create and select Client SSL. 3. Enter a Name, SSLInsight_ClientSide. 4. Select the CA certificate from the CA Certificate drop-down list. 5. Select the private key from the CA Private Key drop-down list. 6. Select Forward Proxy Enable. 7. Click OK. 3 Go to to download/view this guide. Site registration is required. 13

14 Configure the ACL These steps shows configuration for an extended ACL to intercept incoming traffic on VLAN-10. This ACL will be used as part of the wildcard VIP configuration below. Using the CLI: ACOS(config)#access-list 100 permit ip any any vlan 10 Using the GUI: 1. Navigate Network > ACL > Extended. 2. Click Create. 3. Enter or select the following settings: ID: 100 Select Entry Action: Permit Service: Protocol and IP Source Address: Source Address and select Any Destination Address: Destination Address and select Any VLAN ID: Click OK. 14

15 Configure the Wildcard VIP These commands add the service groups to TCP, UDP and others wildcard VIP ports. The no-dest-nat command is used to preserve the destination IP address load-balanced traffic. The others wildcard VIP port can take an already defined TCP service group or UDP service group. In this example, the UDP service group is used. For SSL Insight, virtual port 443 is used. The no-dest-nat port-translation command is used to convert incoming 443 traffic to port 8080, while preserving the destination IP address. Using the CLI: ACOS(config)#slb virtual-server Outbound_Wildcard_VIP acl 100 ACOS(config-slb vserver)#port 443 https ACOS(config-slb vserver-vport)#service-group SSLi ACOS(config-slb vserver-vport)#template client-ssl SSLInsight_ClientSide ACOS(config-slb vserver-vport)#no-dest-nat port-translation ACOS(config-slb vserver-vport)#exit ACOS(config-slb vserver)#port 0 tcp ACOS(config-slb vserver-vport)#service-group All_TCP ACOS(config-slb vserver-vport)#no-dest-nat ACOS(config-slb vserver-vport)#exit ACOS(config-slb vserver)#port 0 udp ACOS(config-slb vserver-vport)#service-group All_UDP ACOS(config-slb vserver-vport)#no-dest-nat ACOS(config-slb vserver-vport)#exit ACOS(config-slb vserver)#port 0 others ACOS(config-slb vserver-vport)#service-group All_UDP ACOS(config-slb vserver-vport)#no-dest-nat ACOS(config-slb vserver-vport)#exit ACOS(config-slb vserver)#exit Using the GUI: 1. Navigate to ADC > SLB > Virtual Server. 2. Click Create. 3. Enter or select the following settings: Name: Outbound_Wildcard_VIP Wildcard: Select the checkbox. Access List:

16 4. From the Virtual Port area click Create. 5. Enter or select the following settings: Name: Outbound_Wildcard_VP Type: HTTPS Port: 443 Service Group: SSLi Direct Server Return: Select Enabled, and select the Port Translation checkbox. Client-SSL Template: SSLInsight_ClientSide 6. Enter or select the following settings: Type: TCP Port: 0 Service Group: All_TCP Direct Server Return: Select Enabled. 7. Click OK to exit the Virtual Server Port configuration page. 8. Click OK to exit the Virtual Server configuration page. 16

17 Deployment Guide SSL Insight Deployment for Single-appliance Architecture External Thunder ADC Appliance Use the following steps to configure SSL Insight parameters in the external Thunder ADC Appliance. Note: For brevity, only the CLI commands are shown in this section. Add TCP Port 443 to the Default Gateway These steps define the default gateway as an slb server, and add TCP port 443 for HTTPS traffic under the default gateway. ACOS(config)#slb server Default_Gateway ACOS(config-real server)#port 443 tcp ACOS(config-real server-node port)#no health-check ACOS(config-real server-node port)#exit ACOS(config-real server)#exit Add TCP Port 0 and UDP Port 0 to the Default Gateway These steps add TCP port 0 and UDP port 0 for all other traffic under the default gateway configuration. ACOS(config)#slb server Default_Gateway ACOS(config-real server)#port 0 tcp ACOS(config-real server-node port)#no health-check ACOS(config-real server-node port)#exit ACOS(config-real server)#port 0 udp ACOS(config-real server-node port)#no health-check ACOS(config-real server-node port)#exit ACOS(config-real server)#exit Bind the Server Ports to a Service Group These steps add the default gateway server ports to a service group. ACOS(config)#slb service-group DG_SSL tcp ACOS(config-slb svc group)#member Default_Gateway 443 ACOS(config-slb svc group)#exit ACOS(config)#slb service-group DG_TCP tcp ACOS(config-slb svc group)#member Default_Gateway 0 ACOS(config-slb svc group)#exit ACOS(config)#slb service-group DG_UDP udp ACOS(config-slb svc group)#member Default_Gateway 0 ACOS(config-slb svc group)#exit Configure the Server-SSL Template These steps configure the server-ssl template. Using the CLI: ACOS(config)#slb template server-ssl SSLInsight_ServerSide ACOS(config-server ssl)#forward-proxy-enable ACOS(config-server ssl)#exit Using the GUI: 1. Navigate to SLB/ SLB. 2. Click Add. 3. Enter a Name, SSLInsight_ServerSide. 4. Click Create and select Server SSL. 5. Select Enabled next to SSL Forward Proxy. 6. Leave other fields blank. 7. Click OK. 17

18 Deployment Guide SSL Insight Deployment for Single-appliance Architecture Configure an ACL to Intercept Incoming Traffic on VLAN-15 for a Wildcard VIP These steps configure an extended ACL to intercept traffic on VLAN-15. This ACL will be used as part of the following wildcard VIP configuration: ACOS(config)#access-list 101 permit ip any any vlan 15 Configure the Wildcard VIP These commands add the service groups to TCP, UDP and others wildcard VIP ports. The no-destnat command is used to preserve the destination IP address. Virtual port 8080 is added for SSL Insight configuration. The no-dest-nat port-translation command is used to convert incoming TCP port 8080 traffic to HTTPS port 443, while preserving the destination IP address. ACOS(config)#slb virtual-server Inside_To_Outside acl 101 ACOS(config-slb vserver)#port 8080 http ACOS(config-slb vserver-vport)#service-group DG_SSL ACOS(config-slb vserver-vport)#template server-ssl SSLInsight_ServerSide ACOS(config-slb vserver-vport)#no-dest-nat port-translation ACOS(config-slb vserver-vport)#exit ACOS(config-slb vserver)#port 0 tcp ACOS(config-slb vserver-vport)#service-group DG_TCP ACOS(config-slb vserver-vport)#no-dest-nat ACOS(config-slb vserver-vport)#exit ACOS(config-slb vserver)#port 0 udp ACOS(config-slb vserver-vport)#service-group DG_UDP ACOS(config-slb vserver-vport)#no-dest-nat ACOS(config-slb vserver-vport)#exit ACOS(config-slb vserver)#port 0 others ACOS(config-slb vserver-vport)#service-group DG_UDP ACOS(config-slb vserver-vport)#no-dest-nat ACOS(config-slb vserver-vport)#exit ACOS(config-slb vserver)#exit 7 Configuration Steps for Security Device Security devices must be configured in Layer 2, transparent mode. Please refer to the configuration steps shown in your security device documentation. 18

19 8 Summary Unprecedented growth in encrypted traffic, coupled with increasing SSL key lengths and more computationally complex SSL ciphers, makes it difficult for inline security devices to decrypt SSL traffic. A wide range of security devices require visibility into encrypted traffic to discover attacks, intrusions and malware. SSL Insight, included as a standard feature of Thunder ADC, offers organizations a powerful load-balancing, high availability and SSL decryption solution. Using SSL Insight, organizations can: Analyze all network data, including encrypted data, eliminating blind spots in their threat protection solution Provide advanced SSL inspection features and SSL decryption for third-party security devices Detect encrypted malware, insider abuse and attacks transported over SSL/TLS Deploy best-of-breed content inspection solutions to fend off cyber attacks Maximize the performance, availability and scalability of corporate networks by leveraging A10 s 64-bit ACOS platform, Flexible Traffic Acceleration (FTA) technology and specialized security processors For more information about Thunder ADC products:

20 Appendix The Appendix section provides a list of configuration options as referred to in the main document. Some features shown may have not have GUI configuration. We suggest using the CLI-only configuration samples until the next ACOS release becomes available. Appendix A. Complete Configuration File for the Thunder ADC Appliance Internal Unit Configuration hostname Thunder-Internal vlan 10 untagged ethernet 1 router-interface ve 10 vlan 15 untagged ethernet 5 router-interface ve 15 access-list 100 permit ip any any vlan 10 interface ve 10 ip address ip allow-promiscuous-vip interface ve 15 ip address slb server SecurityDevice1_Path port 0 tcp no health-check port 0 udp no health-check port 8080 tcp no health-check slb service-group All_UDP udp member SecurityDevice1_Path 0 slb service-group All_TCP tcp member SecurityDevice1_Path 0 slb service-group SSLi tcp member SecurityDevice1_Path 8080 External Unit Configuration hostname Thunder-External vlan 20 untagged ethernet 1 router-interface ve 20 vlan 15 untagged ethernet 5 router-interface ve 15 access-list 101 permit ip any any vlan 15 interface ve 20 ip address interface ve 15 ip address ip allow-promiscuous-vip slb template server-ssl SSLInsight_ ServerSide forward-proxy-enable slb server Default_Gateway port 0 tcp no health-check port 0 udp no health-check port 443 tcp no health-check slb service-group DG_TCP tcp member Default_Gateway 0 slb service-group DG_UDP udp member Default_Gateway 0 20

21 Internal Unit Configuration slb template client-ssl SSLInsight_ ClientSide forward-proxy-enable forward-proxy-ca-cert SSLi-CA forward-proxy-ca-key SSLi-CA slb virtual-server Outbound_Wildcard_ VIP acl 100 port 0 tcp service-group All_TCP no-dest-nat port 0 udp service-group All_UDP no-dest-nat port 0 others service-group All_UDP no-dest-nat port 443 https service-group SSLi template client-ssl SSLInsight_ ClientSide no-dest-nat port-translation end External Unit Configuration slb service-group DG_SSL tcp member Default_Gateway 443 slb virtual-server Inside_To_Outside acl 101 port 0 tcp service-group DG_TCP no-dest-nat port 0 udp service-group DG_UDP no-dest-nat port 0 others service-group DG_UDP no-dest-nat port 8080 http service-group DG_SSL template server-ssl SSLInsight_ ServerSide no-dest-nat port-translation end Appendix B. Webroot BrightCloud URL Classification SSL Insight technology includes a subscription service called Dynamic Web Category Classification via Webroot BrightCloud s Threat Intelligence Services. This service allows customers to granularly control which types of SSL traffic to decrypt and which types to forward without inspection. Thunder ADC customers can analyze and secure SSL traffic while bypassing communications to sensitive sites such as banking and healthcare applications. Internet Server Internet Encrypted Decrypted Security Device A10 Thunder ADC Internet Web Classification Cloud Encrypted Client Figure 4. A10 and Webroot architecture 21

22 When a user s client browser sends a request to a URL, ACOS checks the category of the URL. If the category of the URL is allowed by the configuration, the Internal Thunder ADC device leaves the data encrypted and sends it to the SSL Insight outside device, which sends the encrypted data to the server. If the category of the URL is not allowed by the configuration, the Internal Thunder ADC device decrypts the traffic and sends it to the traffic inspection device. Installation requirements: Must have a Webroot/BrightCloud URL Classification Subscription and per Thunder ADC device licensing (contact your Regional Sales Director for pricing). Internal Thunder ADC must have access to the Internet for Webroot database download. DNS configuration is required. To install the URL classification feature, you must have a Webroot token license sent from the A10 Global License Manager (GLM). Once received, initiate the following command within CLI only: SSLi(config)#internal Import web-category-license license token name Once the license has been imported, initiate a web-category enable command. This feature enables the Thunder ADC device to communicate with the BrightCloud database server and download the URL Classification database. When the download is complete, there will be a Done confirmation from the CLI if the import was successfully initiated; otherwise, an error message will appear. For an additional debugging and installation reference, please refer to the Webroot Category Installation Guide 4. vthunder(config)#import web-category-license license use-mgmt-port scp:// example@ /home/jsmith/webroot_license.json Done. <-- this brief message confirms successful import of the license If a failure occurs, ACOS will display an error message similar to the following: vthunder(config)# import web-category-license license use-mgmt-port scp:// example@ /home/jsmith/webroot_license.json Communication with license server failed <-- this message indicates failed import Note: The Webroot database will download from the data interface by default. There is an option to configure from the management interface but it is not recommended. To enable the Webroot URL classification feature, you must have the following configuration within the client SSL template. Here is a sample configuration: slb template client-ssl ssli-client-template forward-proxy-enable forward-proxy-bypass web-category financial-services forward-proxy-bypass web-category business-and-economy forward-proxy-bypass web-category health-and-medicine 4 Go to to download/view this guide. Site registration is required. 22

23 Appendix C. Dynamic Port Intercept The Dynamic Port Intercept feature dynamically detects and intercepts any HTTPS traffic on any TCP session, regardless of the protocol running on top of TCP. To configure Dynamic Port Intercept within an A10 device, the SSL Insight configuration can remain the same except with a few changes. In order to configure the Internal Thunder ADC for Dynamic Port Intercept, the administrator needs to deploy 2 separate real servers configurations namely for standard SSL traffic and the another real server configuration specific for bypassed and non-ssl traffic. For the External A10 device, it will require 2 real server configure geared for SSL traffic and Non-SSL traffic which forwards all traffic to the Internet default gateway. Configuration Samples for Dynamic Port Intercept slb server Gateway health-check-disable port 0 tcp health-check-disable port 0 udp health-check-disable slb service-group Outbound_TCP tcp member Gateway 0 slb service-group Outbound_UDP udp member Gateway 0 slb template server-ssl Server-SSL forward-proxy-enable slb virtual-server Outside_SSLi_VIP acl 101 port 0 tcp-proxy service-group Outbound_TCP template server-ssl Server-SSL no-dest-nat use-rcv-hop-for-resp slb virtual-server Outside_nonSSLi_VIP acl 102 port 0 tcp service-group Outbound_TCP no-dest-nat use-rcv-hop-for-resp port 0 udp service-group Outbound_UDP no-dest-nat use-rcv-hop-for-resp port 0 others service-group Outbound_UDP no-dest-nat use-rcv-hop-for-resp end 23

24 Appendix D. Single Appliance SSL Insight Solution This section provides instructions on how to configure the ADP devices within a single A10 appliance. To deploy SSL Insight, you will need at least 2 partitions; one to decrypt SSL traffic and a second appliance to encrypt SSL traffic. To create a partition, navigate to the right-hand side of the GUI and click the dropdown under Partition: shared, then select +Create. Administrator account privilege is required to create partitions: Partition Name Device ID Type Internal Unique Number ADC External Unique Number ADC Figure 5. Partition creation To navigate from one partition to another, select the top right-hand corner under Partition: xxxx and select the appropriate partition to configure. Here are a few commonly used CLI commands for an ADP configuration: To create a partition: - SSLi(config)#partition internal id 2 application-type adc To switch from one partition to another: - SSLi(config)#active-partition internal Current active partition: internal - SSLi[internal](config)# Once the SSL Insight partitions have been configured, the Thunder ADC appliance should have at least three partitions: Shared, Internal and External. Note: Please make sure that you are on the correct partition when creating configurations. In addition, you will need to use the command system ve-mac-scheme system-mac to support MAC address duplication in a single device solution. 24

25 Appendix E. Appendix ICAP Support in Client Authentication Architecture The Internet Content Adaptation Protocol (ICAP) has become a defacto-standards in the security industry for lightweight HTTP-like protocol that integrates with proxy servers or server load balancers. A10 has developed an integration based on RFC3507 to support SSL Insight deployments. To configure the A10 Thunder ADC to integrate with ICAP services, you must deploy your A10 device to act as a forward-proxy server to intercept any HTTP and HTTPS traffic which is passed to the security device that supports ICAP services. HTTP HTTP HTTP Client ICAP Internet Security Appliance DLP/AV Services Figure 6. ICAP integration ICAP Workflow 1. The web client requests a GET (that is, an HTTP request) from the web server. 2. The Thunder ADC intercepts the request and forwards it to the ICAP server in an ICAP REQMOD message to the ICAP server. 3. The ICAP server sends a REQMOD response to the Thunder ADC. 4. The ICAP REQMOD response and the actions taken by the Thunder ADC can be one or more of the following: ICAP REQMOD response has Status Code 200 and contains an HTTP request. The Thunder ADC sends the HTTP request contained in the ICAP response to the web server (instead of the original intercepted HTTP request). ICAP REQMOD response has Status Code 204. The Thunder ADC sends the original intercepted HTTP request to the web server. ICAP REQMOD response has Status Code 100. The Thunder ADC sends more data to the ICAP server. ICAP REQMOD response has Status Code 200 contains an HTTP response. The Thunder ADC does not send an HTTP request to the web server. Instead, it sends this HTTP response back to client. ICAP REQMOD response has any other Status Code. The Thunder ADC treats the ICAP response as if it were Status Code

26 Configuration Requirements The following configuration requirements enables Thunder ADC to support ICAP Client Authentication with any AV or DLP solutions. 1. Configure the IP addresses of the ICAP server and create the ICAP service group: ACOS(config)#slb server ICAP_SG1_Path ACOS(config-real server)#port 1344 tcp ACOS(config)#slb service-group ICAP_sg http ACOS(config-slb svc group)#member ICAP_SG1_Path Create the ICAP REQMOD template. Include the ICAP service group and the URL of the ICAP REQMOD server: ACOS(config)#slb template reqmod-icap reqmod_abcd ACOS(config-reqmod-icap)#service-group ICAP_sg ACOS(config-reqmod-icap)#service-uri icap://abcd.com/reqmod_abcd 3. Create the ICAP RESPMOD template. Include the ICAP service group and the URL of the ICAP RESPMOD server: ACOS(config)#slb template respmod-icap respmod_abcd ACOS(config-respmod-icap)#service-group ICAP_sg ACOS(config-respmod-icap)#service-uri icap://abcd.com/respmod_abcd 4. Apply the SLB RESPMOD and REQMOD templates to the http port of the virtual server: ACOS(config)#slb virtual-server outbound_wildcard acl 100 ACOS(config-slb vserver)#port 443 https ACOS(config-slb vserver-vport)#template reqmod-icap reqmod_abcd ACOS(config-slb vserver-vport)#template respmod-icap respmod_abcd Appendix F. Bypass Client Certificate Authentication Some HTTPS servers might require client certificate authentication (CAC/PKI) when the server authenticates incoming requests based on the certificate in the client s certificate store. If SSL Insight lacks the necessary client certificate and key information, CAC will fail when requested by the server. Client authentication traffic is dynamically detected and automatically bypassed, based on general SNI matches. For example in Figure 7, after the Thunder ADC receives the client hello message from the client, the device checks whether this server s certificate is saved in the cache. If the certificate has not been saved, Internal Thunder ADC starts a server SSL connection to the backend server to retrieve the certificate. Internal Thunder ADC also detects whether the backend server requires client certificate authentication. If the server requires backend authentication, Internal Thunder ADC stops retrieving the certificate and checks whether the server name matches the configuration condition to bypass the traffic. Note: To bypass the traffic, Internal Thunder ADC stops SSL Insight processing and switches from HTTPS processing to generic TCP proxy processing. 26

27 Internal Thunder ADC VIP ( :443) port translation:443 > 8080 TCP TCP External Thunder ADC VIP ( :8080) port translation:8080 > 443 Firewall Client Certificate Response Client Certificate Response Client Bypassed SSL Connection Server Figure 7. Bypass client certificate authentication Client Authentication Traffic Network Example The A10 Thunder devices do not have the private key of the real servers such as mail.google.com and mail. yahoo.com. Instead of the real server s certificate, Internal Thunder ADC uses its own public/private key pairs. Because the certificates on the Internal Thunder ADC is a CA cert file, and is trusted by the client, the client s browser will not display a warning about the fake certificate. Configuration for Bypassing SSL Insight for Client Authentication Traffic You can bypass SSL Insight for client authentication traffic by entering the following commands on each of the servers for which you want to bypass the traffic: slb template client-ssl clientssl forward-proxy-bypass client-auth case-insensitive forward-proxy-bypass client-auth class-list testclass forward-proxy-bypass client-auth contains jsmith forward-proxy-bypass client-auth ends-with abc forward-proxy-bypass client-auth equals test.hello.com forward-proxy-bypass client-auth starts-with efg The following list provides additional information about the options: case-insensitive means that a case insensitive forward proxy bypass occurs. class-list means that forward proxy bypass occurs when the SNI string matches the class-list. client-auth means that forward proxy bypass occurs when the client cert auth is requested. contains means that forward proxy bypass occurs when the SNI string contains another string. ends-with means that forward proxy bypass occurs when the SNI string ends with another string. equals means that the forward proxy bypass occurs when the SNI string equals another string. starts-with means that forward proxy bypass occurs when the SNI string starts with another string. Sample Configuration for Bypassing SSL Insight for Client Authentication Traffic To configure this feature, complete the following tasks: Configuring the Internal Thunder ADC device Configuring the External Thunder ADC device 27

28 Configuring the Internal Thunder ADC Device The following output shows how to configure the Internal Thunder ADC device: class-list bypass ac starts-with a10a10 equals ssl-i contains hello.com access-list 101 permit ip any interface ethernet 4 ip address ip allow-promiscuous-vip slb server s port 8080 tcp no health-check slb service-group sg1 tcp slb service-group sg tcp member s1:8080 slb template client-ssl ssl_int cert new_self.crt key new_self.key forward-proxy-enable forward-proxy-ca-cert new_self.crt forward-proxy-ca-key new_self.key forward-proxy-bypass client-auth contains abc.com forward-proxy-bypass client-auth equals a10a10 forward-proxy-bypass client-auth class-list bypass slb virtual-server vs acl 101 extended-stats port 443 https service-group sg template client-ssl ssl_int no-dest-nat port-translation Configuring the External Thunder ADC Device The following CLI output shows how to configure the External Thunder ADC device: access-list 101 permit tcp any any eq 8080 interface ethernet 3 ip address ip allow-promiscuous-vip slb template server-ssl ssl_int forward-proxy-enable 28

29 slb server s port 443 tcp no health-check slb service-group sg1-443 tcp member s2:443 slb virtual-server vs acl 101 port 8080 http service-group sg1-443 template server-ssl ssl_int no-dest-nat port-translation Appendix G. Explicit Proxy Explicit Proxy Configuration The Explicit Proxy feature enables the Thunder ADC device to control client access to hosts based on lists of allowed traffic source (clients) and destination (hosts). Client Explicit Proxy Class-List Policy Template Internet Figure 8: Bypass client certificate authentication This feature is available in ACOS release and was reintroduced in ACOS release SP9. When this feature is enabled, an HTTP virtual port on the Thunder ADC device intercepts the HTTP requests from the client, validates both the source and destination and forwards only those requests that come from valid sources and destinations, and are sent to permitted destinations. Destinations are validated based on URL or hostname strings. For approved destinations, the DNS is used to obtain the IP addresses. Note: All Explicit Proxy integration with SSL Insight must be deployed in a partition (ADP). Integration of Explicit Proxy and SSL Insight in the same partition or appliance will be supported in future releases. Sample Configuration for Explicit Proxy The Class-list will match on the alphabetic strings that contain any of the 26 letters of the English alphabet. If the string matches it will forward to the correct destination. class-list dest ac contains example contains google contains test class-list dest1 ac contains example1 contains america class-list dest2 ac contains bank contains sample class-list src ipv /32 29

30 / /24 slb server fake-server port 80 tcp port 443 tcp health-check-disable slb server ubuntu_serv port 80 tcp port 443 tcp slb service-group fake-sg tcp health-check-disable member fake-server 80 member fake-server 443 slb service-group ubuntu_sg tcp member ubuntu_serv 80 member ubuntu_serv 443 slb template policy test forward-policy action a1 forward-to-internet fake-sg snat snat fallback ubuntu_sg snat snat log action a2 forward-to-service-group ubuntu_sg snat snat log action a3 drop log source s1 match-class-list src destination class-list dest action a1 url priority 10 destination class-list dest1 action a2 url priority 300 destination class-list dest2 action a3 url priority 15 source s2 match-any destination any action a1 slb virtual-server test port 8080 http service-group fake-sg template policy test Note: The fake-server and fake-sg are required as placeholders for action forward-to-internet. 30

31 Appendix H. Detailed Walkthrough of SSL Insight Packet FLow Clients A10 Thunder ADC Firewall A10 Thunder ADC Server Encrypted Zone Clear Text Zone Encrypted Zone SYN SYN/ACK ACK Client-Hello Server-Hello (Server Cert + Local Public Key + signed by local CA) SSL-Handshake Messages + Finished 1 2 SYN SYN/ACK ACK Client-Hello Server-Hello (Server Cert Public Key Signed by well known CA) SSL-Handshake Messages + Finished RST Encrypted Application Data 3 Clear Text Application Data 4 SYN SYN/ACK ACK Client-Hello SSL Handshake Messages + Finished Encrypted Application Data Encrypted Application Data 6 Clear Text Application Response 5 Encrypted Application Response 1 2 If the certificate exists in cache, send it to client and move to (2). Otherwise, establish SSL connection with the remote server and get the certificate from the remote server. Extract header information from server certificate. Change Issuer and the Public Key as exist in Client- SSL-Template. Reassign the new certificate using the CA-Certificate as exist in the Client-SSL-Template. Send the reconstructed Server-Hello to client Data decrypted and sent in clear text through firewall SSL-Reverse-Proxy: New SSL session initiated with remote server. Data encrypted and sent to remote server Response is decrypted and sent through firewall Response is encrypted again and sent to client Figure 9. SSL Insight packet flow 31

32 Appendix I. SSL Insight Certificate Installation Guide A prerequisite for configuring Thunder ADC s SSL Insight feature is generating a CA certificate with a known private key. This CA certificate must then be installed to all client machines on the internal network. If the CA certificate is not installed, internal users will see an SSL untrusted root error whenever they try to connect to an SSL-enabled website. This guide includes the following contents: Generating a CA Certificate Exporting a Certificate from Thunder ADC Installing a Certificate in Microsoft Windows 7 for Microsoft Internet Explorer Installing a Certificate in Google Chrome Installing a Certificate in Mozilla Firefox Generating a CA Certificate The SSLI Insight feature relies on an SSL certificate and key pair to encrypt traffic between clients and the Thunder ADC appliance. A self-signed certificate can be generated by the Thunder ADC appliance or can be created by a Linux system with OpenSSL installed. Alternatively, an ADC administrator can request and install a CA-signed certificate from the Thunder ADC appliance. For instructions on requesting a CA-signed certificate, please see the Application Delivery and Server Load Balancing Guide 5. To generate a self-signed certificate from Thunder ADC in ACOS version 4.0.1: 1. Select ADC > SSL Management. 2. Click Create. 3. Enter the name: SSLi-CA 4. Common name: SSLi-CA 5. Enter the rest of the certificate information in the remaining fields of the Certificate section. Note: If you need to create a wildcard certificate, use an asterisk as the first part of the common name. 6. From the Key drop-down list, select the length in bits for the key. (2048 is the recommended key size) 7. Click Create. The Thunder ADC device generates the self-signed certificate and a key. The new certificate and key appears in the certificate list. The certificate is ready to be used in client-ssl and server-ssl templates. 5 Go to to download/view this guide. Site registration is required. 32

33 Other Options to Generate a Certificate Instead of creating a self-signed certificate within Thunder ADC, administrators can generate a certificate from a Linux server. The following two commands can generate and initialize a CA certificate on a Linux system with an OpenSSL package installed. Once generated, the certificate can be imported onto the Thunder ADC device using FTP or SCP. openssl genrsa -out ca.key openssl req -new -x509 -days key ca.key -out ca.crt The root certificate must be imported onto the client machines. This can be done manually or using an automated service such as Microsoft Group Policy Manager. Note: Further details for Group Policy Manager can be found at: aspx Exporting a Certificate from Thunder ADC To export a self-signed certificate from Thunder ADC from the Thunder ADC GUI in ACOS 4.0.1: 1. Select ADC > SSL Management. 2. On the menu bar, select the Certificate. 3. Click Export. Notes: If the browser security settings normally block downloads, you may need to override the settings. For example, in Internet Explorer, hold the Ctrl key while clicking Export. See the Application Delivery and Server Load Balancing Guide 6 for more information and for instructions for the command line interface (CLI). Installing a Certificate in Microsoft Windows 7 for Internet Explorer To import an untrusted or self-signed CA certificate into your Windows 7 computer, you must be logged on as an administrator, and the untrusted or self-signed CA certificate should have been imported onto your computer already. 1. Open Certificate Manager by clicking the Start button 2. Type certmgr.msc into the search box and then press Enter. 3. If you re prompted for an administrator password or confirmation, type the password or provide confirmation. 6 Go to to download/view this guide. Site registration is required. 33

34 4. In Certificate Manager, select the folder that you want to import the certificate into. In this exercise, we have selected the folder: Trusted Root Certification Authorities > Certificates. 5. Click the Action menu, point to All Tasks, and then click Import. 34

35 6. In Certificate Import Wizard, click Next to proceed to the File Import page. 7. Select Browse to locate the certificate file that is to be imported. Note: the Open dialog box only displays X.509 certificates by default. If you want to import another type of certificate, select the certificate type you want to import in the Open dialog box and click Open. 35

36 8. Click the Next button. 9. Click the Next button. 36

37 10. Confirm your selections and click Finish. 11. In the Security Warning popup window, select Yes, since you made an informed decision to import this certificate. 37

38 12. If the import is successful, you will see a dialog box with the message The import was successful. 13. You can see the newly installed CA certificate under the specified folder. 38

39 Installing Certificate in Google Chrome 1. To install the CA certificate on Google Chrome, open the Chrome browser. 2. Click the Customize and Control Google Chrome option located on the right hand corner of the browser window. 3. Navigate to the HTTPS/SSL section of Chrome Settings and click the Manage certificates button. 39

40 4. In the certificate folder on the Trusted Root Certification Authorities tab, click the Import button and a Certificate Import Wizard will appear. 5. In the Certificate Import Wizard, click the Next button. 40

41 6. Click the Next button to browse to the location of the CA certificate. 7. Once the correct certificate has been located, click Next to install the certificate in the Trusted Root Certificate Authorities certificate store. Click Next and Finish and then click OK. 41

42 Installing a Certificate in Mozilla Firefox Mozilla Firefox utilizes a certificate store and all root CA certificates are stored within the certificate store. In order for SSL Insight to perform properly, each client must download and install the SSL root certificate. Otherwise, Firefox will generate an error message warning clients about SSL error connection attempts. 1. To install an SSL root certificate in Firefox, launch the Firefox browser and open the Options window. 42

43 2. From the Options window, select the Advanced settings option and then click the Certificate tab. From the Certificates window, click the View Certificates button. Mozilla will display the Certificate Manager dialog. 3. Click the Import button. 4. Navigate to where the certificate is located and click Open. A Downloading Certificate window will be displayed. 5. Select the Trust this CA to identify websites checkbox and click OK. Now, the certificate should be imported and the client machine can access HTTPS applications without receiving an error message. 43

44 Appendix J. SSL Insight Features OCSP Certificate Validation The OCSP Certificate Validation is a critical feature in SSL Insight, as it offers the capability to validate an external server when acting as a proxy server. With OCSP certificate validation, it uses an ACOS SSL certificate to validate if an SSL certificate is valid or expired as indicated by the Certificate Authority (CA). Before the SSL session is initiated, the following transaction is initiated to validate the current state of a server certificate. Keep in mind that OCSP validation is only initiated in the backend SSL server certificate. After the TCP connection has been established within Internal Thunder ADC device and client, the OCSP certificate validation begins: ADP 1 Internal ÒClient ÒFirewall ADP 2 External ÒFirewall ÒRouter No (Drop Session) Client Internal Thunder ADC/ External Thunder ADC Internet Yes, Valid Certificate Remote Server OCSP Server Figure 10: OCSP detailed cert validation process 44

45 Server 3 Internet Resolve Verification Good; Verification Revoked Verification Unknown Internal Thunder ADC Yes External Thunder ADC OCS entry in cache? No Certificate contains OCSP information? No Firewall 1 Internal Thunder ADC If no OCSP Stapling Support Resolve Failed Fetch (default: drop connection) Fail? Yes Connect to OCSP Certificate Server Client Resolve Verification Good Verification Revoked Verification Unknown Yes Connection? OCSP Certificate Server CA certifcates are imported onto the Internal Thunder ADC device. The internal Thunder ADC device establishes a TCP connection and begins an SSL handshake with the remote server. The server response with its certificate and staples OCSP status if OCSP stapling is supported by the server. 4 5 If the server response contains the stapled OCSP status as good, then an SSL connection is established between the Thunder ADC device and the client. If the OCSP stapling is not supported, the Internal Thunder ADC device requests certification information from the OCSP certificate server. If the certification of the external server is revoked, the SSL connection is either dropped or bypassed depending on the Thunder ADC configuration. If the certification of the external Thunder ADC device is good, the SSL proxy connection is established between the client and Thunder ADC device. OCSP Certificate Validation Process Figure 11: OCSP detailed cert validation process 1. The internal Thunder ADC device contacts the OCSP server embedded within the Authority Information Access (AIA) field in the certificate sent by the Internet Server. An OCSP request is sent to the OCSP URL within the AIA field in each certificate inside the chain, for which the internal Thunder ADC does not already have an OCSP cache entry. If the OCSP URL is an HTTP URL, an HTTP connection is initiated to that OCSP responder. If the OCSP URL is an HTTPS URL, the Thunder ADC device will not continue with OCSP verification for that certificate/certificate chain. 45

46 2. If the OCSP server responds that the certificate is valid, the internal Thunder ADC device caches the certificate validity information with its expiration time expressed in seconds. If this OCSP entry expires while a forged certificate corresponding to it is still in the cache, then that forged certificate is also aged out. When a new client request comes to the Thunder ADC device for the same website, the OCSP verification and certificate forging process repeats again. 3. If the OCSP server responds that the certificate is not valid, then depending on the Thunder ADC device configuration, Thunder ADC will either drop the connection or bypasses SSL proxy to allow the client to connect directly to the external server. Note: OCSP certificate validation is enabled by default. To disable the OCSP verification from the CLI, use the following command: slb template client-ssl ssli forward-proxy-ocsp-disable There are a few different options to configure OCSP cert validation, therefore, an administrator has to understand how the different OCSP cert validations are configured. The internal Thunder ADC device will only be configured and no changes or feature enabling will be required in the external Thunder ADC device. Note: This new feature (in 4.0.3) can only be configured in CLI. Configuration via the GUI will be available in a future release. To configure OCSP server validation, the following CLI commands are required: Source NAT Pool - required for OCSP Server and Thunder Server Verification Module (SVM) to dynamically initiate TCP connections. In the TCP connections, it will require a source NAT pool address for OCSP server connections. The following commands are required to make the OCSP server to function: Thunder-Internal(config) #ip nat pool ocsp netmask /24 Thunder-Internal(config) #slb svm-source-nat pool ocsp DNS Required - to be able to look up the IP address of the OCSP server for cert validation, a DNS server on the internal Thunder ADC device has to be configured. A secondary DNS IP address can also be configured for redundancy purposes. Thunder-Internal(config) #ip dns primary Once the required CLI are configured, configure the SSL Client template in the internal Thunder ADC device with the following commands: Thunder-Internal(config) #slb template client-ssl SSLInsight_ClientSide Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca ALL_CAs Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca ALL_ intermediate Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca new_self.crt Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca CA1 Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca CA2 Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca CA3 Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca CA4 Thunder-Internal(config-client SSL) #forward-proxy-trusted-ca CA5 Thunder-Internal(config-client SSL) #forward-proxy-ca-cert enterpriseabcselfsigned Thunder-Internal(config-client SSL) #forward-proxy-ca-key enterpriseabc-key Thunder-Internal(config-client SSL) #forward-proxy-enable Other options within OCSP cert validation is to enable the internal Thunder ADC device to drop if the certificate from the external server is not valid. By default, internal Thunder ADC device does not drop connection for invalid certs. #forward-proxy-trusted-ca 46

47 The command Forward-proxy-trusted-ca will bypass all client connections if the external server cert is invalid. To drop the external server connection, the following CLI command in the SSL Client Template: #forward-proxy-verify-cert-drop Route configuration for inline single appliance with L3V partition is required. The port 443 HTTPS on the wildcard VIP must include the DNS server and non-http protocols must be bypassed. You must create a dynamic services template and bind it to the internal Thunder ADC device VIP. To define the Dynamic service template, configure the following: Thunder-Internal(config) #slb template dynamic-service dl Thunder-Internal(config-dynamic service) #dns server Thunder-Internal(config-dynamic-service) #exit Once the Dynamic-Service is defined, bind the dynamic-service template in the internal Thunder ADC device VIP Thunder-Internal(config) #slb virtual-server Inside_VIP acl 100 Thunder-Internal(config-slb vservice) #port 443 https Thunder-Internal(config-slb vserver-vport) #no-dest-nat port-translation Thunder-Internal(config-slb vserver-vport) #service-groip FW1_Inspect_SG Thunder-Internal(config-slb vserver-vport) #use-rcv-hop-for-resp Thunder-Internal(config-slb vserver-vport) #template dynamic-service dl Thunder-Internal(config-slb vserver-vport) #template http non-http-bypass Thunder-Internal(config-slb vserver-vport) #template client-ssl SSLInsight_ ClientSide Thunder-Internal(config-slb vserver-vport) #exit SSL Debug Alert Messages This feature can be used to monitor a session that shows why the SSL session failed. This debugging option is not enabled by default. This debug message feature can be enabled from a client or server SSL template and alerts will be provided with brief description. The alert can trigger during an SSL handshake or while sending/ receiving application data. Fatal alerts will only be logged. The Thunder ADC device will only log the fatal level and is not customizable. To enable this feature, use the ACOS CLI and run the following command: inside(config-client ssl)#enable-tls-alert-logging fatal Note: this feature can be enabled on the Internal or External Thunder ADC device. Attached are a lists of fatal SSL alerts that ACOS outputs. [ close_notify ] = 0, [ unexpected_message ] = 10, [ bad_record_mac ] = 20, [ decryption_failed ] = 21, [ record_overflow ] = 22, [ decompression_failure ] = 30, [ handshake_failure ] = 40, [ no_certificate ] = 41, [ bad_certificate ] = 42, [ unsupported_certificate ] = 43, [ certificate_revoked ] = 44, [ certificate_expired ] = 45, [ certificate_unknown ] = 46, [ illegal_parameter ] = 47, [ unknown_ca ] = 48, [ access_denied ] = 49, [ decode_error ] = 50, 47

48 [ decrypt_error ] = 51, [ export_restriction ] = 60, [ protocol_version ] = 70, [ insufficient_security ] = 71, [ internal_error ] = 80, [ user_canceled ] = 90, [ no_renegotiation ] = 100, [ unsupported_extension ] = 110, [ certificate_unobtainable ] = 111, [ unrecognized_name ] = 112, [ bad_certificate_status_response ]= 113, [ bad_certificate_hash_value ] = 114, [ unknown_psk_identity ] = 115 Forward Proxy Failsafe This Forward Proxy Failsafe is a new feature in release that enables the ACOS to dynamically bypass the SSL Insight request when ACOS is unable to fetch the server certificate. This feature is enabled by default and auto bypassed transactions are logged within syslog automatically with a keyword log of bypassed. This is only available in the Client SSL template. Client SSL Handshake Success Server Failed Command to disable Forward Proxy Failsafe: SSL Failure Failsafe Bypass slb template client-ssl ssli enable-tls-alert-logging fatal forward-proxy-ca-cert 2k.pem forward-proxy-ca-key 2k.key forward-proxy-enable forward-proxy-failsafe-disable forward-proxy-bypass web-category financial-services forward-proxy-bypass web-category health-and-medicine non-ssl-bypass service-group nonssli-tcp Forward Proxy Inspect The Forward Proxy Inspect feature inspects Aho-Corasick class-list and performs SSL Insight if it matches to the class-list entries. A match process is initiated and if there is a match on the class-list then the SSL Insight process will continue. If the forward proxy inspection fails, then the SSL session is dropped. 48

49 Client-SSL template No Class-list Match Fail SSL Session is dropped Client Forward Proxy Inspect Aho-Corasick Class-list match.com.edu Success Server To enable this feature, the class-list strings (case sensitive) must be defined and supports starts-with, endswith, and contains or equal. Internal Thunder ADC Ends-with Class-list Sample class-list test ac contains ssl-inspect1 ends-with.com ends-with.edu Internal Thunder ADC Client SSL template Sample: slb template client-ssl client-ssl forward-proxy-ca-cert ssl-ca forward-proxy-ca-key ssl-ca forward-proxy-enable forward-proxy-inspect inspect-list test Internal Thunder ADC Key-string Length Class-list Sample class-list max-length-key-string ac contains slb template client-ssl client-ssli forward-proxy-ca-cert ax-1024 forward-proxy-ca-key ax-1024 forward-proxy-enable forward-proxy-inspect inspect-list max-length-key-string 49

50 Appendix K. Reference Topologies SSL Insight Inline Single Appliance Deployment HTTP Firewall or inline Security Device SSL ADP 1 ADP 2 SSL Internet Secure Traffic Clear Traffic The Inline Single Appliance Deployment Mode provides SSL visibility to an inline security device. This configuration has the following topology description: One partition decrypts SSL traffic and forwards it to security devices A second partition encrypts traffic L2 deployment SSL Insight Inline and Passive Mode Security Devices SSL HTTP HTTP SSL Internet Client ATP / SIEM SWG Secure Web Gateway IPS/Firewall Secure Traffic Clear Traffic The Inline and Passive Deployment Mode shows multiple security devices running on Layer 2 configuration or on a TAP mode using mirror port configuration. This configuration has the following topology description: Open once and inspect multiple times Multiple security devices Inline (Layer 2) and passive (TAP) mode devices supported on SPAN/Mirror Port SSL Insight Network and Passive Mode Security Devices ATP / SIEM SSL HTTP HTTP SSL Internet Client Secure Traffic Clear Traffic SWG Secure Web Gateway IPS/Firewall The Network and Passive Deployment Mode shows multiple security devices running on Layer 3 configuration or on a TAP mode using mirror port configuration. This configuration has the following topology description: Open once and inspect multiple times Multiple security devices Network (Layer 3) and passive (TAP) mode devices supported on SPAN/Mirror Port High availability (HA) Support 50

51 SSL Insight Inline Mode with Explicit Proxy HTTP Firewall or Inline Security Device SSL (Explicit Proxy) ADP 1 ADP 2 ADP 3 SSL Internet Client Secure Traffic Clear Traffic First A10 Partition Forwards the explicit proxy traffic to SSL; HTTP Connect Header is removed and d estination IP is changed Second A10 Partition Forwards SSL traffic to HTTP and sends traffic to firewall for inspection Third A10 Partition Converts HTTP back to SSL; HTTPS traffic is forwarded to destination The Inline Mode with Explicit Proxy Deployment Mode is a combination of Explicit Proxy with SSL Insight solutions. The first partition is configured as Explicit Proxy and the second and third partitions will be used for SSL Insight configuration. SSL Insight ICAP Topology with Explicit Proxy Data Loss Prevention (DLP) reqmod/ respmod Firewall or Inline Security Device ADP 1 ADP 2 SSL SSL Internet Secure Traffic Clear Traffic The ICAP Topology with Explicit Proxy Deployment Mode provides an SSL visibility to an ICAP enabled DLP. This configuration has the following topology description: Requires an ICAP template and then bound to a vport ICAP solution is based on RFC standards 3507 Configurable and solution can work with internal and external Thunder Series devices 51

52 SSL Insight in Passive Inline with Explicit Proxy ATP / SIEM Firewall/IPS SSL (Explicit Proxy) ADP 1 ADP 2 ADP 3 HTTP SSL Internet Client Secure Traffic Clear Traffic The Passive Inline with Explicit Proxy Deployment offers explicit proxy configuration and supports multiple inline and passive (TAP) security devices. Customers may deploy in explicit proxy mode when they are replacing an existing explicit proxy or prefer it over our standard SSL proxy. Inline Mode with Bypass Switch/AFO Firewall or Inline Security Device HTTP ADP 1 ADP 2 SSL SSL Internet Bypass Switch Bypass Traffic Secure Traffic Clear Traffic The Inline Mode with Bypass Switch/AFO Deployment shows standard inline deployment mode with the option to deploy a bypass switch. AFO-Active Failover Open utilizes network traffic as a heartbeat. If the network heartbeat fails, the traffic will switch to bypass mode with network interruptions. HA Inline Mode with Bypass Switch/AFO Firewall or inline Security Device SSL HTTP SSL Internet Secure Traffic Clear Traffic Bypass Switch Bypass Traffic The Inline Mode with Bypass Switch/AFO Deployment shows standard inline (L2) mode in a multi-device deployment with a bypass switch option. AFO-Active Failover Open utilizes network traffic as a heartbeat. If the network heartbeat fails, the traffic will switch to bypass mode with network interruptions 52

53 About A10 Networks A10 Networks is a leader in application networking, providing a range of high-performance application networking solutions that help organizations ensure that their data center applications and networks remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose, California, and serves customers globally with offices worldwide. For more information, visit: Corporate Headquarters A10 Networks, Inc 3 West Plumeria Ave. San Jose, CA USA Tel: Fax: Part Number: A10-DG EN-04 Dec 2015 Worldwide Offices North America [email protected] Europe [email protected] South America [email protected] Japan [email protected] China [email protected] Hong Kong [email protected] Taiwan [email protected] Korea [email protected] South Asia [email protected] Australia/New Zealand [email protected] To learn more about the A10 Thunder Application Service Gateways and how it can enhance your business, contact A10 Networks at: or call to talk to an A10 sales representative A10 Networks, Inc. All rights reserved. A10 Networks, the A10 Networks logo, ACOS, Thunder and SSL Insight are trademarks or registered trademarks of A10 Networks, Inc. in the United States and other countries. All other trademarks are property of their respective owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. For the full list of trademarks, visit: 53